HTTP3: Allow to support non-standard HTTP3 settings by normanmaurer · Pull Request #16171 · netty/netty

normanmaurer · 2026-01-22T16:13:04Z

Motivation:

To be able to add extensions that are still in draft we need a way to also allow non-standard HTTP3 settings. This was not possible before.

Modifications:

Allow to plugin a NonStandardHttp3SettingsValidator to support non-standard settings
Add unit test

Result:

Be able to support non-standard HTTP3 settings and so allow to add support for drafts

normanmaurer · 2026-01-22T16:14:08Z

@sanjomo PTAL

codec-http3/src/test/java/io/netty/handler/codec/http3/Http3SettingsTest.java

normanmaurer · 2026-01-26T10:22:37Z

@vietj @yawkat any concerns ?

normanmaurer · 2026-01-27T00:54:26Z

And @bryce-anderson @chrisvest

bryce-anderson

A few questions but overall looks good.

codec-http3/src/main/java/io/netty/handler/codec/http3/Http3Settings.java

codec-http3/src/main/java/io/netty/handler/codec/http3/Http3ClientConnectionHandler.java

bryce-anderson · 2026-01-27T18:07:01Z

codec-http3/src/main/java/io/netty/handler/codec/http3/Http3FrameCodec.java

@@ -62,7 +62,7 @@ final class Http3FrameCodec extends ByteToMessageDecoder implements ChannelOutbo
    private final QpackEncoder qpackEncoder;
    private final Http3RequestStreamCodecState encodeState;


Not related to this PR, but is encodeState used anywhere?

codec-http3/src/main/java/io/netty/handler/codec/http3/Http3ClientConnectionHandler.java

Motivation: To be able to add extensions that are still in draft we need a way to also allow non-standard HTTP3 settings. This was not possible before. Modifications: - Allow to plugin a NonStandardHttp3SettingsValidator to support non-standard settings - Add unit test Result: Be able to support non-standard HTTP3 settings and so allow to add support for drafts

yawkat · 2026-02-02T07:17:18Z

codec-http3/src/main/java/io/netty/handler/codec/http3/Http3ClientConnectionHandler.java

+     * @param nonStandardSettingsValidator          the {@link Http3Settings.NonStandardHttp3SettingsValidator} to use
+     *                                              when validating settings that are non-standard.
+     */
+    public Http3ClientConnectionHandler(@Nullable ChannelHandler inboundControlStreamHandler,


as per usual… I vote for a builder

Let me add a builder as a followup.

Motivation: To be able to add extensions that are still in draft we need a way to also allow non-standard HTTP3 settings. This was not possible before. Modifications: - Allow to plugin a NonStandardHttp3SettingsValidator to support non-standard settings - Add unit test Result: Be able to support non-standard HTTP3 settings and so allow to add support for drafts

Motivation: To be able to add extensions that are still in draft we need a way to also allow non-standard HTTP3 settings. This was not possible before. Modifications: - Allow to plugin a NonStandardHttp3SettingsValidator to support non-standard settings - Add unit test Result: Be able to support non-standard HTTP3 settings and so allow to add support for drafts Port of netty/netty#16171

…l [skip ci] Bumps [io.netty:netty-all](https://github.com/netty/netty) from 4.2.10.Final to 4.2.12.Final. Release notes *Sourced from [io.netty:netty-all's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=io.netty:netty-all&package-manager=maven&previous-version=4.2.10.Final&new-version=4.2.12.Final)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

…ip ci] Bumps `netty.version` from 4.2.10.Final to 4.2.12.Final. Updates `io.netty:netty-transport` from 4.2.10.Final to 4.2.12.Final Release notes *Sourced from [io.netty:netty-transport's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) Updates `io.netty:netty-codec` from 4.2.10.Final to 4.2.12.Final Release notes *Sourced from [io.netty:netty-codec's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) Updates `io.netty:netty-handler` from 4.2.10.Final to 4.2.12.Final Release notes *Sourced from [io.netty:netty-handler's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

normanmaurer requested a review from chrisvest January 22, 2026 16:13

normanmaurer mentioned this pull request Jan 22, 2026

Adding Experimental WebTransport settings in HTTP/3 Settings #16166

Closed

sanjomo approved these changes Jan 22, 2026

View reviewed changes

sanjomo reviewed Jan 23, 2026

View reviewed changes

codec-http3/src/test/java/io/netty/handler/codec/http3/Http3SettingsTest.java Show resolved Hide resolved

bryce-anderson reviewed Jan 27, 2026

View reviewed changes

sanjomo reviewed Jan 31, 2026

View reviewed changes

codec-http3/src/main/java/io/netty/handler/codec/http3/Http3ClientConnectionHandler.java Outdated Show resolved Hide resolved

normanmaurer added 3 commits January 31, 2026 19:30

add test

b771314

Fix

dfc8a72

normanmaurer force-pushed the http3_non_standard branch from c9c9455 to dfc8a72 Compare January 31, 2026 18:30

yawkat reviewed Feb 2, 2026

View reviewed changes

bryce-anderson approved these changes Feb 2, 2026

View reviewed changes

normanmaurer merged commit 81c1017 into 4.2 Feb 6, 2026
20 checks passed

normanmaurer deleted the http3_non_standard branch February 6, 2026 10:10

normanmaurer added this to the 4.2.11.Final milestone Feb 6, 2026

normanmaurer mentioned this pull request Feb 19, 2026

HTTP3: Allow to support non-standard HTTP3 settings netty/netty-incubator-codec-http3#362

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

HTTP3: Allow to support non-standard HTTP3 settings#16171

HTTP3: Allow to support non-standard HTTP3 settings#16171
normanmaurer merged 3 commits into4.2from
http3_non_standard

normanmaurer commented Jan 22, 2026

Uh oh!

normanmaurer commented Jan 22, 2026

Uh oh!

Uh oh!

normanmaurer commented Jan 26, 2026

Uh oh!

normanmaurer commented Jan 27, 2026

Uh oh!

bryce-anderson left a comment

Uh oh!

Uh oh!

Uh oh!

bryce-anderson Jan 27, 2026

Uh oh!

Uh oh!

yawkat Feb 2, 2026

Uh oh!

normanmaurer Feb 6, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

		@@ -62,7 +62,7 @@ final class Http3FrameCodec extends ByteToMessageDecoder implements ChannelOutbo
		private final QpackEncoder qpackEncoder;
		private final Http3RequestStreamCodecState encodeState;

Uh oh!

Conversation

normanmaurer commented Jan 22, 2026

Uh oh!

normanmaurer commented Jan 22, 2026

Uh oh!

Uh oh!

normanmaurer commented Jan 26, 2026

Uh oh!

normanmaurer commented Jan 27, 2026

Uh oh!

bryce-anderson left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

bryce-anderson Jan 27, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

yawkat Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

normanmaurer Feb 6, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants