0

I know, that if we talk about non secured connection, it is possible to establish connection via http/2 protocol without ALPN. But what about TLS connection? In RFC said:

   A client MUST send the connection preface (Section 3.5) and then MAY
   immediately send HTTP/2 frames to such a server; servers can identify
   these connections by the presence of the connection preface.  This
   only affects the establishment of HTTP/2 connections over cleartext
   TCP; **implementations that support HTTP/2 over TLS MUST use protocol
   negotiation in TLS [TLS-ALPN]**.

Does it mean that both server and client must use ALPN to establish connection via TLS and http2? Or there are workarounds and other options?

Igor_M
  • 308
  • 2
  • 12

1 Answers1

0

A compliant HTTP/2 client must send the ALPN extension for HTTP/2 over TLS.

However, what would a server do if the ALPN extension is not present? This may happen with old clients, or non-compliant clients, or attackers.

The server could be legitimately configured to speak only HTTP/2 (for example, https://h2.domain.com), so it may assume that the protocol being spoken is h2 without the need of negotiating it via ALPN. This is an implementation/configuration choice. (Another valid choice could be to just close the connection if ALPN is absent).

The RFC also discusses the role of ALPN for cross-protocol attacks, see this section.

I think the intent of the RFC is to mandate the use of ALPN; however, a server should be prepared to receive connection attempts without ALPN, and at that point it can be configured to either close the connection or assume a default protocol, which is typically http/1.1, but could as well be h2.

Keep in mind that you may always use TLS without ALPN and perform an HTTP/1.1 to HTTP/2 upgrade request (where, like in ALPN, you declare what protocol you want to upgrade to), which would typically succeed as servers should support HTTP/1.1 to HTTP/2 upgrade. So you would be able to speak HTTP/2 to such servers, after the upgrade, even without ALPN.

A server may assume that if ALPN is missing, the client wants to try with an HTTP/1.1 to HTTP/2 upgrade. If the server does not see the upgrade (but directly the HTTP/2 client preface), it may reply with 426 Upgrade Required (see here).

sbordet
  • 16,856
  • 1
  • 50
  • 45
  • I use an OkHttpClient which supports ALPN. I need to establish TLS connection via http2 to server which is not developed by me. This server does not support ALPN and http1.1 is disabled (only http2 is enabled). In Client Hello message I send ALPN, but server does not suppport it. As a result connection is not established. What can I do to establish connection? – Igor_M Jan 25 '22 at 11:44
  • You need to understand how you can configure the server to accept the connection. As I said, if the server does not support ALPN but speaks HTTP/2, it may be configured to either accept the connection and speak HTTP/2 immediately, or to close the connection. Alternatively, if you can disable ALPN (either not even send the ALPN extension, or send it empty) on the client and just do a plain HTTP/1.1 to HTTP/2 upgrade (not sure how you can do that with `OkHttpClient`). – sbordet Jan 25 '22 at 16:55