Log Message:
Changes 1.23.0:

libnghttp2

Previously, if libnghttp2 received an invalid header field, it is just ignored, \ 
and is treated like it was never happened. This release changes this behaviour, \ 
and now libnghttp2 treats an incoming invalid header field as error, and resets \ 
the stream with PROTOCOL_ERROR.

nghttp2_on_invalid_frame_callback is now called if validation of altsvc header \ 
field fails.

nghttpx

nghttpx now verifies that OCSP response received from a program specified by \ 
--fetch-ocsp-response-file. The validation can be turned off by using \ 
--no-verify-ocsp option. In this validation, it makes sure that the OCSP \ 
response is targeted to the expected certificate. This is important because we \ 
pass the file path to the external program (see --fetch-ocsp-response-file), and \ 
if the file is replaced because of renewal, and nghttpx has not reloaded its \ 
configuration, the certificate nghttpx has loaded and the one included in the \ 
file differ. Verifying the OCSP response detects this, and avoids to send wrong \ 
OCSP response.