Difference Between NPN and ALPN plus How to Enable ALPN on Your Site

NPN (Next Protocol Negotiation) and ALPN (Application Layer Protocol Negotiation) are both TLS extensions. Since https, SPDY and HTTP/2 operate on port 443, the client and server need to negotiate what application layer protocol, plain http/1.1, SPDY or HTTP/2 to use after SSL/TLS secure connection is established between client and server.

Difference Between NPN and ALPN

SPDY uses NPN to negotiate application layer protocol whereas HTTP/2 utilize ALPN to negotiate. In order to understand the difference between NPN and ALPN, you must have a basic understanding of how SSL/TLS handshake works.

Both NPN and ALPN are used when client and server are establishing SSL/TLS connection. ALPN avoids an additional round trip because the client list the application layer protocols supported by the client in the client hello message. The server choose a protocol and includes it in the server hello message. In NPN the server list the supported protocols in the server hello message and let the client to choose. ALPN is a successor to NPN.

How ALPN Works

                Src: ietf.com

The following screenshot of wireshark capture shows that the client lists three protocols h2, spdy/3.1 and http/1.1.


And this screenshot of wireshark capture shows that the server choose h2 as the application layer protocol.

ALPN server hello

How to Check ALPN Support on Your Server

ALPN is used in HTTP/2, so first you need to enable HTTP/2 on your server. Check out the following post to see how it’s done.

What are SPDY and HTTP/2 and how to enable them on Nginx

After you enable HTTP/2 on your site,  go to https://tools.keycdn.com/http2-test to check if ALPN is supported by your server.

You can also test ALPN support by your sever with the following command:

echo | openssl s_client -alpn h2 -connect yourdomain.com:443 | grep ALPN

If your server does not support ALPN then you will see No ALPN negotiated.


If your server supports ALPN then you will get ALPN protocol: h2.


Because ALPN requires OpenSSL 1.0.2 and most Linux server distributions only support up to OpenSSL 1.0.1, so it’s very likely that your server do not support ALPN. You can check your server’s OpenSSL version by issuing the following command:

$ openssl version
OpenSSL 1.0.2e 3 Dec 2015

How to Enable ALPN on Nginx

To enable ALPN on Nginx, first you need to upgrade OpenSSL to 1.0.2 on your server. If you are using ubuntu15.10, then your system have OpenSSL1.0.2d.  To upgrade to ubuntu15.10, you simply need to enter the following command in the terminal:

sudo apt-get upgrade;sudo apt-get dist-upgrade


sudo reboot

Once you have OpenSSL1.0.2, you should link Nginx with new version of OpenSSL.

go to the HTTP/2 test page again, you will see that ALPN is supported by your server.

check ALPN support

Rate this tutorial
[Total: 4 Average: 4]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • If you ask me more than 5 questions, I expect you to make a donation, or I would stop answering your questions.