When talking about ALPN, the thing to remember is that ALPN is a TLS extension negotiation protocol. It’s a negotiator. There’s a Client Hello sending the Cipher Suite it supports and there’s a Server Hello picking which Cipher it’s going to use from that list. If you’re having any issues with HTTP2, it’s important to do a packet capture to see a) what Cipher is being used because it could be using a blacklisted Cipher Suite and b) confirm that the Client and Serer Hello ALPN’s are being sent.
You can check the Cipher Suite Black List:
https://datatracker.ietf.org/doc/html/rfc7540#appendix-A
#Look to see if the Cipher Suite is Black Listed#
You are making sure the Cipher Suite is supported by the product and not black listed.
Client Hello:
Transport Layer Security > TLSv1.2 Record Layer: Handshake Protocol: Client Hello > Handshake Protocol: Client Hello > Cipher Suites
Server Hello:
Transport Layer Security > TLSv1.2 Record Layer: Handshake Protocol: Client Hello > Handshake Protocol: Server Hello
#Verify that ALPN is being sent by both the Client and Server#
Good:
Bad:
You can see for the “Bad” that the server never sent ALPN. It’s either filtered on their side, they’re not using it, etc…
#Wireshark Packet Capture Filters Used#
Client Hello:
ssl.handshake.type == 1
Server Hello:
ssl.handshake.type == 2