Tuesday, February 28, 2017

H2O version 2.2 beta released with TLS 1.3 support and other improvements

Today I am happy to announce the release of H2O version 2.2.0-beta1.

The release includes 20 changes made by 10 people. It is great to see that the development effort has become a joint work of such a community.

Below are some of the big changes that went into the beta release.

Case preservation of header names under HTTP/1 #1194

Since the release of H2O, we have always used lowercased header names. This is acceptable from the specifications' standpoint since header names are defined to be case-insensitive. Also, HTTP/2 only allows transmission of the names in lowercase.

However, in practice, there are applications that rely on the case of the header names being preserved by a reverse proxy. And it is technically possible to preserve the case of the characters in HTTP/1.

@deweerdt came up with a pull request that preserves the case of the header names whenever possible. As of this writing, case of the chacacters are preserved between the reverse proxy handler and HTTP/1 clients. Header names transmitted through HTTP/2 will continue to be in lower-case due to how they are encoded in HTTP/2.

Pull requests for preserving the headers communicated through other handlers are welcome.

Directives to modify request headers sent through the reverse proxy handler #1126

@zlm2012 has added configuration directives that can be used to tweak the request headers sent to the application server through the reverse proxy handler.

This has been implemented by refactoring and generalizing the headers handler that has been used to modify the response headers; so now it is possible to modify the request headers in any way that is possible to modify the response headers!

Support for TLS 1.3 draft-18 #1204

Our in-house implementation of TLS 1.3 (named picotls) has landed to master. Picotls provides an efficient (zero-copy) and clean-cut API (designed as a codec rather than an an I/O abstraction) for the upcoming version 1.3 of the TLS protocol.

Thanks to the library, H2O now implements all the features that is necessary to run TLS 1.3 in production and for performance; including support for session resumption, 0-RTT data, OCSP stapling.

Use of picotls is enabled by default; to disable it, set max-version property of the ssl configuration directive to tlsv1.2.

Bug fixes thanks to code analysis #1174 #1110

@hbowden worked on integrating Coverity to H2O. The static analysis tool has found several issues and they have been fixed.

@jfoote and @deweerdt worked on integrating Google's continuous fuzzing to H2O. As a result of the integration, several issues were found and fixed in H2O.