Support ALPN as soon as possible to cope with Google Chrome’s new strategy

Chrome will change negotiation protocol on May 31^st 2016. It is predicted to remove the support of NPN in Chrome 51 and only support ALPN, which aims to promote the upgrade and development of WEB. However, ALPN needs to be supported by OpenSSL 1.0.2, which in fact has low coverage and may lead to a great number of HTTP/2 websites that do not support ALPN failing to negotiate with HTTP/2.

What are NPN and ALPN?

NPN (Next Protocol Negotiation) is a TLS extension put forward by Google when developing SPDY protocol. It is the protocol used to choose either HTTP/1.1 or HTTP/2 between server and browser. With SPDY being replaced by HTTP/2, NPN is revised into ALPN (Application Layer Protocol Negotiation), both of which have the same target to negotiate which HTTP version should be used between server and browser. But the implementation details are different and they do not have mutual consistency.

Why does NPN removing lead to the failure of negotiating with HTTP/2?

Browser needs the help of HTTP/2 negotiation protocol to know whether the server is supportive of HTTP/2. NPN of TLS or ALPN extension can be used to complete the negotiation.

Both browser and server being supportive of NPN or ALPN negotiation is the premise of using HTTP/2.

Most Web Server depends on OpenSSL to provide HTTPS service. Whether they are supportive of NPN or ALPN completely lies on the OpenSSL version they use.

OpenSSL 1.0.2 supports ALPN, but it has low coverage among mainstream operating systems.

Upgrade suggestions

Whether your HTTP/2 service is supportive of ALPN extension can be checked by OpenSSL command line tool:

openssl s_client -alpn h2 -servername imququ.com -connect imququ.com:443 < /dev/null | grep 'ALPN'

If unknown option – alpn is prompted, the local OpenSSL version is outdated (you can check by openssl version) and you need to upgrade it to 1.0.2+. If it is inconvenient for you to upgrade, you can use the SSLLabs online tool to do the test.

If the results contain ALPN protocol: h2, the server supports ALPN and will not be affected by Chrome 51 removing NPN.

If the results contain No ALPN negotiated, the server is not supportive of ALPN and will not negotiate with HTTP/2 in Chrome 51. You need to upgrade it as soon as possible.

Note

Problems will be caused if you upgrade the OpenSSL built-in the system because OpenSSL is system based library and lots of software depends on it. The more reliable method is to specify the location of OpenSSL by yourself when compile Web Server.

If you are using LibreSSL as the SSL library of WebServer, you’ll need to upgrade to 2.1.3+ so that it can support ALPN.

References:

https://imququ.com/post/enable-alpn-asap.html

https://ma.ttias.be/day-google-chrome-disables-http2-nearly-everyone-may-31st-2016/

http://www.zcfy.cc/article/288