Tag: http3

ngtcp2 1.24.0 rpms released

ngtcp2 1.24.0 rpms released and added to all supported platforms.

Major changes:

– crypto: Add openssl libs to cryptotest by @tatsuhiro-t – Add –disable-crypto configure option by @tatsuhiro-t – crypto: Add ngtcp2_crypto_ossl_free by @tatsuhiro-t – examples: Avoid the deprecated nghttp3 APIs by @tatsuhiro-t – lib: Add recv_stop_sending callback by @pimterry – lib: Add ngtcp2_conn_set_max_stream_data_thresh by @tatsuhiro-t – lib: Tweak ngtcp2_conn_set_max_stream_data_thresh by @tatsuhiro-t – Remove max stream data thresh by @tatsuhiro-t – Rewrite window filter from scratch by @tatsuhiro-t – lib: Tweak app-limited detection by @tatsuhiro-t – build(deps): bump actions/checkout from 6 to 7 by @dependabotbot – lib: Simplify app-limited conditions by @tatsuhiro-t – Bump openssl to v4.0.1 by @tatsuhiro-t – Bump boringssl by @tatsuhiro-t – Bump aws-lc to v5.1.0 by @tatsuhiro-t – Bump picotls by @tatsuhiro-t – Bump wolfssl to v5.9.2-stable by @tatsuhiro-t

ngtcp2 libraries stack built with OpenSSL 4.0.1. QUIC client name is osslclient.

nghttp3 1.17.0 rpms released

nghttp3 1.17.0 rpms released and added to all supported platforms.

Major changes:

– lib: Add nghttp3_downcase_byte by @tatsuhiro-t – lib: Fix header name validation by @tatsuhiro-t – lib: Reformat downcase table by @tatsuhiro-t – Add nghttp3_conn_stream_flushed by @tatsuhiro-t – lib: Take into account non-DATA frame in nghttp3_conn_is_stream_flushed by @tatsuhiro-t – Update scripts by @tatsuhiro-t – Reformat huffman data tables by @tatsuhiro-t – Update doc by @tatsuhiro-t – lib: Treat non-existent stream flushed by @tatsuhiro-t – Bump sfparse by @tatsuhiro-t – lib: Add the public API to encode and decode variable-length integer by @tatsuhiro-t – build(deps): bump actions/checkout from 6 to 7 by @dependabotbot – Add missing version-added by @tatsuhiro-t

NGINX 1.30.3 Stable with Brotli, TLS 1.3, OpenSSL 4.0.1, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.30.3 Stable with fixes for buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055), and buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-48142)  added to EL7, EL8, EL9 and EL10 repositories. Brotli compression module from Google, http2, ngx_cache_purge and ngx_http_geoip2 modules are built in. OpenSSL is built dynamically using official OpenSSL 4.0.1 with QUIC support.

Major changes:

  • Security: a heap memory buffer overflow might occur in a worker
  • Security: a heap memory buffer overread might occur in a worker

NGINX 1.31.2 Mainline with Brotli, TLS 1.3, OpenSSL 4.0.1, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.31.2 Mainline with fixes for buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055), and buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-48142) added to EL7, EL8, EL9 and EL10 repositories. Brotli compression module from Google, http2, ngx_cache_purge and ngx_http_geoip2 modules are built in. OpenSSL is built dynamically using official OpenSSL 4.0.1 with QUIC support.

Major changes:

  • Security: use-after-free might occur when using HTTP/3 and processing
  • Security: a heap memory buffer overflow might occur in a worker
  • Security: a heap memory buffer overread might occur in a worker
  • Change: now the $request_id variable uses SipHash-2-4.
  • Feature: the $ssl_sigalgs variable.
  • Bugfix: a variable defined by the “split_clients” directive might be constant time “secure_link” hash comparison.

openssl 4.0.1 rpms released

openssl 4.0.1 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, Red Hat Enterprise Linux RHEL, Oracle Linux).

Major changes:

– OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: – Fixed heap use-after-free in `PKCS7_verify()`. – Fixed CMS `AuthEnvelopedData` processing may accept forged messages. – Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. – Fixed double-free when checking OCSP stapled response. – Fixed NULL pointer dereference in QUIC server initial packet handling. – Fixed AES-OCB IV ignored on `EVP_Cipher()` path. – Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. – Fixed out-of-bounds read in CMS password-based decryption. – Fixed heap buffer over-read in ASN.1 content parsing. – Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. – Fixed NULL dereference in certificate verification with OCSP Checking. – Fixed possible NULL dereference in password-dased CMS decryption. – Fixed NULL pointer dereference in CRMF `EncryptedValue` decryption. – Fixed multi-`RecipientInfo` Bleichenbacher Oracle in `CMS_decrypt()` and `PKCS7_decrypt()`. – Fixed trust anchor substitution via `cert`/`issuer` typo in CMP `rootCaKeyUpdate`. – Fixed FFC-DH peer validation uses attacker-supplied `q`. – Fixed possible out of bounds read in `X509_VERIFY_PARAM_set1_email()`. – Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. – Fixed a regression introduced in 4.0.0 that led to a `openssl pkey` command crash when it was invoked to encrypt a private key with password being provided interactively. – Fixed a regression introduced in 4.0.0 that led to `openssl s_client -adv` command prematurely terminating a session when reading input of 16384 bytes in one `read()` call.

Fixed vulnerabilities:

– CVE-2026-34180 – CVE-2026-34181 – CVE-2026-34182 – CVE-2026-34183 – CVE-2026-35188 – CVE-2026-42764 – CVE-2026-42765 – CVE-2026-42766 – CVE-2026-42767 – CVE-2026-42768 – CVE-2026-42769 – CVE-2026-42770 – CVE-2026-42771 – CVE-2026-45445 – CVE-2026-45446 – CVE-2026-45447 – CVE-2026-7383 – CVE-2026-9076

We continue to build libs with QUIC support as a separate non-conflicting package openssl-quic-libs, with separate .so.81.4 suffixing to avoid conflicts with the official .so.X.

ngtcp2 1.23.0 rpms released

ngtcp2 1.23.0 rpms released and added to all supported platforms.

Major changes:

– examples: Use std::print for sim by @tatsuhiro-t
– examples: Rewrite util::split_str by @tatsuhiro-t
– examples: Refine formatter by @tatsuhiro-t in
– log: Faster logging by @tatsuhiro-t in
– examples: Introduce ProtoCodec to deduplicate examples by @tatsuhiro-t in
– Use ULL consistently by @tatsuhiro-t in
– examples: Stop surrounding constexpr variables with anonymous namespace by @tatsuhiro-t in
– examples: Use UZ for size_t by @tatsuhiro-t in
– examples: Use static constexpr for somewhat large structs by @tatsuhiro-t in
– examples: Use try_emplace for safe insertion of move only object by @tatsuhiro-t in
– Transit to closing state when sending application close by @tatsuhiro-t in
– Specify QualifierOrder by @tatsuhiro-t in
– examples: Prefer operator== to strcmp by @tatsuhiro-t in
– examples: Use std::filesystem::path for file path by @tatsuhiro-t in
– Provide generic ngtcp2_max and ngtcp2_min by @tatsuhiro-t in
– Examples fixup by @tatsuhiro-t in
– Rewrite fallback ntoh/hton functions for win32 by @tatsuhiro-t in
– Add ngtcp2_secure_clear by @tatsuhiro-t in
– Clear sensitive secrets and keys after use by @tatsuhiro-t in
– Add const version by @tatsuhiro-t in
– Fix grammatical errors by @tatsuhiro-t in
– crypto: Add tests for token validation by @tatsuhiro-t in
– examples: Add inline to NGTCP2_SERVER by @tatsuhiro-t in
– Add const and remove duplicated code by @tatsuhiro-t in
– Remove stale function declarations by @tatsuhiro-t in
– crypto: Deal with overflow when computing token timeout by @tatsuhiro-t in
– build(deps): bump actions/github-script from 8 to 9 by @dependabotbot in
– examples: Read ECH configuration PEM in the correct format by @tatsuhiro-t in
– Revert “fix: prevent max_idle_timeout multiplication overflow in transport params decode” by @tatsuhiro-t in
– Deal with large max_idle_timeout that could overflow in computation by @tatsuhiro-t in
– Fix qlog params set stack overflow by @tatsuhiro-t in
– Log enhancement by @tatsuhiro-t in
– Bump LibreSSL to v4.3.1 by @nak3 in
– examples: Enable X25519MLKEM768 for LibreSSL by @nak3 in
– pq: Adopt designated initializers by @tatsuhiro-t in
– examples: Fix parse_uint_internal by @tatsuhiro-t in
– examples: Send stateless reset if token is required and unreadable by @tatsuhiro-t in
– examples: Remove unneeded iostream include by @tatsuhiro-t in
– Add missing initialization for fields that are not used for CRYPTO by @tatsuhiro-t in
– rst: Rename TCP centric variable names by @tatsuhiro-t in
– bbr: Cap maximum drain rounds by @tatsuhiro-t in
– GHA: Avoid azure Ubuntu mirror by @tatsuhiro-t in
– Bump openssl to v4.0.0 by @tatsuhiro-t in
– Bump boringssl by @tatsuhiro-t in
– Bump picotls by @tatsuhiro-t in
– Bump wolfssl to v5.9.1-stable by @tatsuhiro-t in
– examples/sim: Deal with retry due to Initial packet loss by @tatsuhiro-t in
– examples/sim: Minor improvements by @tatsuhiro-t in
– Bump aws-lc to v1.73.0 by @tatsuhiro-t in
– Bump wolfssl to v5.9.1-stable in interop Dockerfile by @tatsuhiro-t in
– lib: Apply absolute upper bound against CRYPTO data offset by @tatsuhiro-t in
– Adopt sphinx version-add and version-deprecated directives by @tatsuhiro-t in
– ppe: Robust ngtcp2_ppe_padding_size by @tatsuhiro-t in
– ppe: Ensure packet protection sample with ngtcp2_ppe_dgram_padding_size by @tatsuhiro-t in
– cubic: Add missing is_cwnd_limited reset after exiting slow start by @tatsuhiro-t in
– Make bitwise operations robust by @tatsuhiro-t in
– Make all private hex constants unsigned by @tatsuhiro-t in
– lib: Ensure that unidirectional stream shutdown flags properly set by @tatsuhiro-t in
– More unsigned hex integer literals by @tatsuhiro-t in
– Fix strict aliasing issue in ngtcp2_get_varint by @tatsuhiro-t in
– Net cleanup by @tatsuhiro-t in
– Bump libressl to v4.3.2 by @tatsuhiro-t in
– Consider static const if possible by @tatsuhiro-t in
– @Alex-Tsvetanov made their first contribution

nghttp3 1.16.0 rpms released

nghttp3 1.16.0 rpms released and added to all supported platforms.

Major changes:

Create nghttp3_frame directly in ring buffer by @tatsuhiro-t in #456 Fix memory leak on the failure path by @tatsuhiro-t in #457 Uppercase numeric literal suffixes and hex digits in C/C++ sources by @Copilot in #458 More use of designated initializers by @tatsuhiro-t in #459 Upcase hex chars in string literal by @tatsuhiro-t in #460 GHA: Build with macos-26 by @tatsuhiro-t in #461 Call nghttp3_stream_close callback for all streams by @tatsuhiro-t in #462 Add const qualifier by @tatsuhiro-t in #463 Add const version by @tatsuhiro-t in #464 Bump actions/github-script from 8 to 9 by @dependabot[bot] in #493 Optimize huffman decode length estimation by @tatsuhiro-t in #494 Fix integer cast by @tatsuhiro-t in #495 Add nghttp3_conn_get_stream_user_data by @tatsuhiro-t in #496 GHA: Avoid azure Ubuntu mirror by @tatsuhiro-t in #497 examples: Fix literal operator syntax by @tatsuhiro-t in #498 Add generic nghttp3_max and nghttp3_min with C11 _Generic by @tatsuhiro-t in #499 lib: Port ngtcp2 changes in nghttp3_ksl by @tatsuhiro-t in #500 Add missing doc by @tatsuhiro-t in #502 doc: Adopt sphinx version-added and version-deprecated directives by @tatsuhiro-t in #503 Ignore content-length for the extended CONNECT by @tatsuhiro-t in #504 Cleanup bitwise negation operations by @tatsuhiro-t in #505 Make hex integer literals unsigned where appropriate by @tatsuhiro-t in #506 Make frame types and payload length unsigned by @tatsuhiro-t in #507 Rewrite win32 byte order conversion functions by @tatsuhiro-t in #508 conv: Use function like macro style for nghttp3_bswap64 by @tatsuhiro-t in #509 conv: Use macros for win32 hton*/ntoh* fallbacks by @tatsuhiro-t in #510 Remove legacy comments and macros regarding extensible priorities by @tatsuhiro-t in #511 conv: Remove nghttp3_put_varint variants by @tatsuhiro-t in #512 lib: Rewrite parse_uint by @tatsuhiro-t in #513 lib: Dedicated function to parse 3 digits HTTP status code by @tatsuhiro-t in #514 lib: Do not allow HTTP status code that contains leading zero by @tatsuhiro-t in #515 More static const by @tatsuhiro-t in #516

NGINX 1.31.1 Mainline with Brotli, TLS 1.3, OpenSSL 4.0.0, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.31.1 Mainline with HTTP/3 support added to EL7, EL8, EL9 and EL10 repositories. Brotli compression module from Google, http2, ngx_cache_purge and ngx_http_geoip2 modules are built in. OpenSSL is built dynamically using official OpenSSL 4.0.0 with QUIC support.

Major changes:

*) Security: a heap memory buffer overflow might occur in a worker process when using a configuration with overlapping captures in ngx_http_rewrite_module, potentially resulting in arbitrary code execution (CVE-2026-9256). Thanks to Mufeed VH of Winfunc Research.

NGINX 1.30.2 Stable with Brotli, TLS 1.3, OpenSSL 4.0.0, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.30.2 Stable with HTTP/3 support added to EL7, EL8, EL9 and EL10 repositories. Brotli compression module from Google, http2, ngx_cache_purge and ngx_http_geoip2 modules are built in. OpenSSL is built dynamically using official OpenSSL 4.0.0 with QUIC support.

Major changes:

Fix for buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-9256).