Forum OpenACS Development: NaviServer 5.1.0 released
Dear all,
We are pleased to announce the final release of NaviServer 5.1.0.
This is a major feature, security, and modernization release, with 335 files changed and more than 76,000 lines of additions. The release extends NaviServer’s role as a secure, high-performance Tcl-based application server while preparing the code base for modern TLS, OpenSSL, Tcl, JSON, authentication, and HTTP protocol requirements.
Highlights include:
Security and protocol hardening: stricter HTTP/1.x request parsing, request-smuggling defenses, safer reverse-proxy forwarding, CGI/httpoxy protection, hardened multipart parsing, safer nsperm/nscp behavior, more secure TLS protocol defaults, disabled fastpath directory listings by default, and additional traversal protections.
Native authentication and security building blocks: built-in JWT encode/decode/verify support, CBOR decoding, COSE/WebAuthn infrastructure for passkey-based login, and new cryptographic primitives that reduce the need for external framework-level dependencies.
mTLS and certificate introspection: proper server-side mutual TLS support, configurable client CA verification, access to client certificate details from Tcl, certificate summaries in connection diagnostics, and certificate inspection via ns_certctl.
Post-quantum-ready crypto support: new key-management, key-agreement, KEM, and signature APIs expose modern OpenSSL provider capabilities, including post-quantum key encapsulation and signature algorithms where supported by the installed OpenSSL provider.
Native JSON platform support: strict RFC 8259 JSON parsing/generation, typed JSON values, lossless triples, JSON Pointer support, schema derivation and validation helpers, and automatic JSON request-body access.
HTTP/3 / QUIC groundwork: an experimental HTTP/3 driver using QUIC and nghttp3, with Alt-Svc advertisement support and integration into NaviServer’s driver infrastructure. This is disabled by default and not yet intended as a production replacement for the mature HTTP/1.x path.
Better configuration and operations: configuration fragment directories, generated configuration-parameter documentation, structured nscgi interpreter configuration, request privacy signals via ns_conn privacy, enhanced runtime diagnostics, tcmalloc-aware memory reporting, and expanded driver queue introspection.
Developer-facing API updates: new Tcl command families for JSON, CBOR, JWT, crypto, certificates, client certificates, request privacy, charset introspection, URL encoding modes, and driver diagnostics; plus C API extensions for JSON parsing, TLS/mTLS, driver integration, QUIC, configuration helpers, and const-correctness.
Broad compatibility and test coverage: NaviServer 5.1 supports Tcl versions from 8.5 through 9.1b0 in the regression matrix, keeps compatibility paths for many existing configurations, and extends the regression test suite from 2850 to 3543 tests.
The full release notes are available here:
https://github.com/naviserver-project/naviserver/blob/naviserver-5.1.0/NEWS
Source release:
https://github.com/naviserver-project/naviserver/releases/tag/naviserver-5.1.0
https://sourceforge.net/projects/naviserver/files/naviserver/5.1.0/
The following people contributed to this release:
Brendan Graves, Georg Lehner, Gustaf Neumann, Hector Romojaro, Jeff R,
Nicky Johnstone, Oleg Oleinick, whisperzer0, Wolfgang Winkler, Zoran Vasiljevic
Many thanks to everyone who contributed code, tests, reports, reviews, documentation, platform testing, and feedback.
Best regards,
Gustaf Neumann
on behalf of the NaviServer team