HTTP2 and ALPN

When talking about ALPN, the thing to remember is that ALPN is a TLS extension negotiation protocol.  It’s a negotiator.  There’s a Client Hello sending the Cipher Suite it supports and there’s a Server Hello picking which Cipher it’s going to use from that list.  If you’re having any issues with HTTP2, it’s important to do a packet capture to see a) what Cipher is being used because it could be using a blacklisted Cipher Suite and b) confirm that the Client and Serer Hello ALPN’s are being sent.

You can check the Cipher Suite Black List:
https://datatracker.ietf.org/doc/html/rfc7540#appendix-A

#Look to see if the Cipher Suite is Black Listed#
You are making sure the Cipher Suite is supported by the product and not black listed.

Client Hello:
Transport Layer Security > TLSv1.2 Record Layer: Handshake Protocol: Client Hello > Handshake Protocol: Client Hello > Cipher Suites
http2-ciphersuites

Server Hello:
Transport Layer Security > TLSv1.2 Record Layer: Handshake Protocol: Client Hello > Handshake Protocol: Server Hello
http2-blacklist

#Verify that ALPN is being sent by both the Client and Server#

Good:
http2-alpn-working

Bad:
http2-alpn-notworking

You can see for the “Bad” that the server never sent ALPN. It’s either filtered on their side, they’re not using it, etc…

#Wireshark Packet Capture Filters Used#
Client Hello:
ssl.handshake.type == 1

Server Hello:
ssl.handshake.type == 2

More Stories
Windows 7/2008 and Newer built-in Packet Capture