Update manual pages

Bump up version number to 1.24.0
Update AUTHORS
2025-12-07 02:28:53 +08:00 · 2017-07-02 13:40:21 +09:00 · 2017-07-02 13:37:53 +09:00 · 2017-07-02 13:31:47 +09:00 · 2017-06-28 21:36:13 +09:00 · 2017-06-28 01:01:39 +09:00
16 changed files with 96 additions and 47 deletions
--- a/2
+++ b/2
@@ -25,6 +25,7 @@ Angus Gratton
 Ant Bryan
 Benedikt Christoph Wolters
 Benedikt Christoph Wolters
+Benjamin Peterson
 Bernard Spil
 Bernard Spil
 Brian Card
@@ -67,6 +68,7 @@ Remo E
 Reza Tavakoli
 Ross Smith II
 Scott Mitchell
+Simone Basso
 Soham Sinha
 Stefan Eissing
 Stephen Ludin
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -24,7 +24,7 @@

 cmake_minimum_required(VERSION 3.0)
 # XXX using 1.8.90 instead of 1.9.0-DEV
-project(nghttp2 VERSION 1.23.0)
+project(nghttp2 VERSION 1.24.0)

 # See versioning rule:
 #  http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
--- a/README.rst
+++ b/README.rst
@@ -157,7 +157,7 @@ minimizes the risk of private key leakage when serious bug like
 Heartbleed is exploited.  The neverbleed is disabled by default.  To
 enable it, use ``--with-neverbleed`` configure option.

-In ordre to compile the source code, gcc >= 4.8.3 or clang >= 3.4 is
+In order to compile the source code, gcc >= 4.8.3 or clang >= 3.4 is
 required.

 .. note::
--- a/configure.ac
+++ b/configure.ac
@@ -25,7 +25,7 @@ dnl Do not change user variables!
 dnl http://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html

 AC_PREREQ(2.61)
-AC_INIT([nghttp2], [1.23.0], [t-tujikawa@users.sourceforge.net])
+AC_INIT([nghttp2], [1.24.0], [t-tujikawa@users.sourceforge.net])
 AC_CONFIG_AUX_DIR([.])
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_HEADERS([config.h])
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -267,7 +267,7 @@ apiref.rst: \
 $(APIDOCS): apiref.rst

 clean-local:
-	[ $(srcdir) = $(builddir) ] || for i in $(RST_FILES); do [ -e $(builddir)/$$i ] && rm -f $(builddir)/$$i; done
+	if [ $(srcdir) != $(builddir) ]; then for i in $(RST_FILES); do rm -f $(builddir)/$$i; done fi
 	-rm -f apiref.rst
 	-rm -f $(APIDOCS)
 	-rm -rf $(BUILDDIR)/*
--- a/doc/h2load.1
+++ b/doc/h2load.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "H2LOAD" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "H2LOAD" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 h2load \- HTTP/2 benchmarking tool
 .
--- a/doc/nghttp.1
+++ b/doc/nghttp.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTP" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "NGHTTP" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 nghttp \- HTTP/2 client
 .
--- a/doc/nghttpd.1
+++ b/doc/nghttpd.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPD" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "NGHTTPD" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 nghttpd \- HTTP/2 server
 .
--- a/doc/nghttpx.1
+++ b/doc/nghttpx.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPX" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "NGHTTPX" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 nghttpx \- HTTP/2 proxy
 .
@@ -604,11 +604,14 @@ enabled for backend connections.
 .INDENT 0.0
 .TP
 .B \-\-cacert=<PATH>
-Set path to trusted CA  certificate file used in backend
-TLS connections.   The file must  be in PEM  format.  It
-can  contain  multiple   certificates.   If  the  linked
-OpenSSL is configured to  load system wide certificates,
-they are loaded at startup regardless of this option.
+Set path to trusted CA  certificate file.  It is used in
+backend  TLS connections  to verify  peer\(aqs certificate.
+It is also used to  verify OCSP response from the script
+set by \fI\%\-\-fetch\-ocsp\-response\-file\fP\&.  The  file must be in
+PEM format.   It can contain multiple  certificates.  If
+the  linked OpenSSL  is configured  to load  system wide
+certificates, they  are loaded at startup  regardless of
+this option.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -691,10 +694,14 @@ done in  case\-insensitive manner.  The  versions between
 \fI\%\-\-tls\-min\-proto\-version\fP and  \fI\%\-\-tls\-max\-proto\-version\fP are
 enabled.  If the protocol list advertised by client does
 not  overlap  this range,  you  will  receive the  error
-message "unknown protocol".  The available versions are:
+message "unknown protocol".  If a protocol version lower
+than TLSv1.2 is specified, make sure that the compatible
+ciphers are  included in \fI\%\-\-ciphers\fP option.   The default
+cipher  list  only   includes  ciphers  compatible  with
+TLSv1.2 or above.  The available versions are:
 TLSv1.2, TLSv1.1, and TLSv1.0
 .sp
-Default: \fBTLSv1.1\fP
+Default: \fBTLSv1.2\fP
 .UNINDENT
 .INDENT 0.0
 .TP
--- a/doc/nghttpx.1.rst
+++ b/doc/nghttpx.1.rst
@@ -558,11 +558,14 @@ SSL/TLS

 .. option:: --cacert=<PATH>

-    Set path to trusted CA  certificate file used in backend
-    TLS connections.   The file must  be in PEM  format.  It
-    can  contain  multiple   certificates.   If  the  linked
-    OpenSSL is configured to  load system wide certificates,
-    they are loaded at startup regardless of this option.
+    Set path to trusted CA  certificate file.  It is used in
+    backend  TLS connections  to verify  peer's certificate.
+    It is also used to  verify OCSP response from the script
+    set by :option:`--fetch-ocsp-response-file`\.  The  file must be in
+    PEM format.   It can contain multiple  certificates.  If
+    the  linked OpenSSL  is configured  to load  system wide
+    certificates, they  are loaded at startup  regardless of
+    this option.

 .. option:: --private-key-passwd-file=<PATH>

@@ -636,10 +639,14 @@ SSL/TLS
    :option:`--tls-min-proto-version` and  :option:`\--tls-max-proto-version` are
    enabled.  If the protocol list advertised by client does
    not  overlap  this range,  you  will  receive the  error
-    message "unknown protocol".  The available versions are:
+    message "unknown protocol".  If a protocol version lower
+    than TLSv1.2 is specified, make sure that the compatible
+    ciphers are  included in :option:`--ciphers` option.   The default
+    cipher  list  only   includes  ciphers  compatible  with
+    TLSv1.2 or above.  The available versions are:
    TLSv1.2, TLSv1.1, and TLSv1.0

-    Default: ``TLSv1.1``
+    Default: ``TLSv1.2``

 .. option:: --tls-max-proto-version=<VER>

--- a/doc/sources/nghttpx-howto.rst
+++ b/doc/sources/nghttpx-howto.rst
@@ -297,13 +297,31 @@ When you write this option in command-line, you should enclose
 argument with single or double quotes, since the character ``;`` has a
 special meaning in shell.

-To route, request to request path whose prefix is ``/foo`` to backend
-server ``[::1]:8080``, you can write like so:
+To route, request to request path ``/foo`` to backend server
+``[::1]:8080``, you can write like so:

 .. code-block:: text

   backend=::1,8080;/foo

+If the last character of path pattern is ``/``, all request paths
+which start with that pattern match:
+
+.. code-block:: text
+
+   backend=::1,8080;/bar/
+
+The request path ``/bar/buzz`` matches the ``/bar/``.
+
+You can use ``*`` at the end of the path pattern to make it wildcard
+pattern.  ``*`` must match at least one character:
+
+.. code-block:: text
+
+   backend=::1,8080;/sample*
+
+The request path ``/sample1/foo`` matches the ``/sample*`` pattern.
+
 Of course, you can specify both host and request path at the same
 time:

--- a/lib/includes/nghttp2/nghttp2.h
+++ b/lib/includes/nghttp2/nghttp2.h
@@ -3809,9 +3809,8 @@ nghttp2_submit_response(nghttp2_session *session, int32_t stream_id,
 * Submits trailer fields HEADERS against the stream |stream_id|.
 *
 * The |nva| is an array of name/value pair :type:`nghttp2_nv` with
- * |nvlen| elements.  The application is responsible not to include
- * pseudo-header fields (header field whose name starts with ":") in
- * |nva|.
+ * |nvlen| elements.  The application must not include pseudo-header
+ * fields (headers whose names starts with ":") in |nva|.
 *
 * This function creates copies of all name/value pairs in |nva|.  It
 * also lower-cases all names in |nva|.  The order of elements in
--- a/src/nghttp.cc
+++ b/src/nghttp.cc
@@ -404,17 +404,10 @@ int htp_msg_begincb(http_parser *htp) {
 }
 } // namespace

-namespace {
-int htp_statuscb(http_parser *htp, const char *at, size_t length) {
-  auto client = static_cast<HttpClient *>(htp->data);
-  client->upgrade_response_status_code = htp->status_code;
-  return 0;
-}
-} // namespace
-
 namespace {
 int htp_msg_completecb(http_parser *htp) {
  auto client = static_cast<HttpClient *>(htp->data);
+  client->upgrade_response_status_code = htp->status_code;
  client->upgrade_response_complete = true;
  return 0;
 }
@@ -424,7 +417,7 @@ namespace {
 constexpr http_parser_settings htp_hooks = {
    htp_msg_begincb,   // http_cb      on_message_begin;
    nullptr,           // http_data_cb on_url;
-    htp_statuscb,      // http_data_cb on_status;
+    nullptr,           // http_data_cb on_status;
    nullptr,           // http_data_cb on_header_field;
    nullptr,           // http_data_cb on_header_value;
    nullptr,           // http_cb      on_headers_complete;
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -1392,7 +1392,7 @@ constexpr auto DEFAULT_NPN_LIST = StringRef::from_lit("h2,h2-16,h2-14,"
 } // namespace

 namespace {
-constexpr auto DEFAULT_TLS_MIN_PROTO_VERSION = StringRef::from_lit("TLSv1.1");
+constexpr auto DEFAULT_TLS_MIN_PROTO_VERSION = StringRef::from_lit("TLSv1.2");
 #ifdef TLS1_3_VERSION
 constexpr auto DEFAULT_TLS_MAX_PROTO_VERSION = StringRef::from_lit("TLSv1.3");
 #else  // !TLS1_3_VERSION
@@ -2071,11 +2071,14 @@ SSL/TLS:
              Don't  verify backend  server's  certificate  if TLS  is
              enabled for backend connections.
  --cacert=<PATH>
-              Set path to trusted CA  certificate file used in backend
-              TLS connections.   The file must  be in PEM  format.  It
-              can  contain  multiple   certificates.   If  the  linked
-              OpenSSL is configured to  load system wide certificates,
-              they are loaded at startup regardless of this option.
+              Set path to trusted CA  certificate file.  It is used in
+              backend  TLS connections  to verify  peer's certificate.
+              It is also used to  verify OCSP response from the script
+              set by --fetch-ocsp-response-file.  The  file must be in
+              PEM format.   It can contain multiple  certificates.  If
+              the  linked OpenSSL  is configured  to load  system wide
+              certificates, they  are loaded at startup  regardless of
+              this option.
  --private-key-passwd-file=<PATH>
              Path  to file  that contains  password for  the server's
              private key.   If none is  given and the private  key is
@@ -2131,7 +2134,11 @@ SSL/TLS:
              --tls-min-proto-version and  --tls-max-proto-version are
              enabled.  If the protocol list advertised by client does
              not  overlap  this range,  you  will  receive the  error
-              message "unknown protocol".  The available versions are:
+              message "unknown protocol".  If a protocol version lower
+              than TLSv1.2 is specified, make sure that the compatible
+              ciphers are  included in --ciphers option.   The default
+              cipher  list  only   includes  ciphers  compatible  with
+              TLSv1.2 or above.  The available versions are:
              )"
 #ifdef TLS1_3_VERSION
                             "TLSv1.3, "
--- a/src/shrpx_http2_downstream_connection.cc
+++ b/src/shrpx_http2_downstream_connection.cc
@@ -201,9 +201,7 @@ ssize_t http2_data_read_callback(nghttp2_session *session, int32_t stream_id,
    if (!trailers.empty()) {
      std::vector<nghttp2_nv> nva;
      nva.reserve(trailers.size());
-      // We cannot use nocopy version, since nva may be touched after
-      // Downstream object is deleted.
-      http2::copy_headers_to_nva(nva, trailers, http2::HDOP_STRIP_ALL);
+      http2::copy_headers_to_nva_nocopy(nva, trailers, http2::HDOP_STRIP_ALL);
      if (!nva.empty()) {
        rv = nghttp2_submit_trailer(session, stream_id, nva.data(), nva.size());
        if (rv != 0) {
--- a/src/shrpx_tls.cc
+++ b/src/shrpx_tls.cc
@@ -829,6 +829,22 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
  }

  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+
+  if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
+    LOG(WARN) << "Could not load system trusted ca certificates: "
+              << ERR_error_string(ERR_get_error(), nullptr);
+  }
+
+  if (!tlsconf.cacert.empty()) {
+    if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(),
+                                      nullptr) != 1) {
+      LOG(FATAL) << "Could not load trusted ca certificates from "
+                 << tlsconf.cacert << ": "
+                 << ERR_error_string(ERR_get_error(), nullptr);
+      DIE();
+    }
+  }
+
  if (!tlsconf.private_key_passwd.empty()) {
    SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
    SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
@@ -1844,9 +1860,11 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
  }
  auto bs_deleter = defer(OCSP_BASICRESP_free, bs);

+  auto store = SSL_CTX_get_cert_store(ssl_ctx);
+
  ERR_clear_error();

-  rv = OCSP_basic_verify(bs, chain_certs, nullptr, OCSP_TRUSTOTHER);
+  rv = OCSP_basic_verify(bs, chain_certs, store, 0);

  if (rv != 1) {
    LOG(ERROR) << "OCSP_basic_verify failed: "
Author	SHA1	Message	Date
Tatsuhiro Tsujikawa	3bcc416e13	Update manual pages	2017-07-02 13:40:21 +09:00
Tatsuhiro Tsujikawa	65837806f5	Bump up version number to 1.24.0	2017-07-02 13:37:53 +09:00
Tatsuhiro Tsujikawa	b0772dcc66	Update AUTHORS	2017-07-02 13:31:47 +09:00
Tatsuhiro Tsujikawa	c6d65aad3b	Merge branch 'nghttp-not-upgrade-without-reason-phrase'	2017-06-28 21:36:13 +09:00
Tatsuhiro Tsujikawa	18dd20ce55	nghttp: Fix bug that upgrade fails if reason-phrase is missing	2017-06-28 01:01:39 +09:00
Tatsuhiro Tsujikawa	0f6d76a501	Merge pull request #947 from bassosimone/patch-1 README.rst: fix typo	2017-06-23 00:33:00 +09:00
Simone Basso	0f1320109f	README.rst: fix typo	2017-06-22 17:03:05 +02:00
Tatsuhiro Tsujikawa	defa28c618	Merge pull request #945 from benjaminp/trailer-grammar fix up grammar in submit_trailer docs	2017-06-20 00:35:46 +09:00
Benjamin Peterson	b7c95be47c	fix up grammar in submit_trailer docs	2017-06-18 23:55:53 -07:00
Tatsuhiro Tsujikawa	a18d154e0e	Merge pull request #943 from nghttp2/nghttpx-verify-ocsp-resp-with-cacerts nghttpx: Verify OCSP response using trusted CA certificates	2017-06-15 20:56:44 +09:00
Tatsuhiro Tsujikawa	52195a12ee	Merge pull request #941 from nghttp2/nghttpx-tls-min-proto nghttpx: Set default minimum TLS version to TLSv1.2	2017-06-13 23:01:54 +09:00
Tatsuhiro Tsujikawa	59c78d5809	nghttpx: Verify OCSP response using trusted CA certificates	2017-06-13 23:00:26 +09:00
Tatsuhiro Tsujikawa	be164fc8f9	nghttpx: Set default minimum TLS version to TLSv1.2 Previously, the default minimum TLS version was TLSv1.1, but the default cipher list didn't include any compatible ciphers with it. This made handshake fail if TLSv1.1 was negotiated because there was no shared ciphers. To make the default settings consistent, the default minimum TLS version is now TLSv1.2.	2017-06-12 23:54:12 +09:00
Tatsuhiro Tsujikawa	5833ef1efc	Merge pull request #938 from benjaminp/fix-clean fix cleaning in out-of-tree builds	2017-06-12 00:21:10 +09:00
Benjamin Peterson	28f88d46f3	fix cleaning in out-of-tree builds The altered previously failed if the rst sources hadn't been copied over.	2017-06-11 00:03:36 -07:00
Tatsuhiro Tsujikawa	6ec7683991	nghttpx: Use nocopy version to send trailer headers to backend It looks like we can use nocopy version here. We use nocopy version in frontend in day 1.	2017-06-02 22:38:39 +09:00
Tatsuhiro Tsujikawa	fb2d8f79d6	Update doc	2017-06-02 22:22:44 +09:00
Tatsuhiro Tsujikawa	8f7fa1b1bf	nghttpx: Fix crash in OCSP response verification	2017-05-30 23:52:38 +09:00
Tatsuhiro Tsujikawa	e5889ce622	Bump up version number to 1.24.0-DEV	2017-05-26 23:07:50 +09:00