Difference Between NPN and ALPN plus How to Enable ALPN on Your Site
1NPN (Next Protocol Negotiation) and ALPN (Application Layer Protocol Negotiation) are both a TLS extension. Since https, SPDY and HTTP/2 operate on port 443, the client and server need to negotiate what application layer protocol, plain http/1.1, SPDY or HTTP/2 to use after SSL/TLS secure connection is established between client and server.
Difference Between NPN and ALPN
SPDY uses NPN to negotiate application layer protocol whereas HTTP/2 utilize ALPN to negotiate. In order to understand the difference between NPN and ALPN, you must have a basic understanding of how SSL/TLS handshake works.
Both NPN and ALPN are used when client and server are establishing SSL/TLS connection. ALPN avoids an additional round trip because the client list the application layer protocols supported by the client in the client hello message. The server choose a protocol and includes it in the server hello message. In NPN the server list the supported protocols in the server hello message and let the client to choose. ALPN is a successor to NPN.
The following screenshot of wireshark capture shows that the client lists three protocols h2, spdy/3.1 and http/1.1.
And this screenshot of wireshark capture shows that the server choose h2 as the application layer protocol.
How to Check ALPN Support on Your Server
ALPN is used in HTTP/2, so first you need to enable HTTP/2 on your server. Check out the following post to see how it’s done.
After you enable HTTP/2 on your site, go to https://tools.keycdn.com/http2-test to check if ALPN is supported by your server.
You can also test ALPN support by your sever with the following command:
echo | openssl s_client -alpn h2 -connect yourdomain.com:443 | grep ALPN
If your server does not support ALPN then you will see No ALPN negotiated.
If your server supports ALPN then you will get ALPN protocol: h2.
Because ALPN requires OpenSSL 1.0.2 and most Linux server distributions only support up to OpenSSL 1.0.1, so it’s very likely that your server do not support ALPN. You can check your server’s OpenSSL version by issuing the following command:
$ openssl version OpenSSL 1.0.2e 3 Dec 2015
How to Enable ALPN on Nginx
To enable ALPN on Nginx, first you need to upgrade OpenSSL to 1.0.2 on your server. If you are using ubuntu15.10, then your system have OpenSSL1.0.2d. To upgrade to ubuntu15.10, you simply need to enter the following command in the terminal:
sudo apt-get upgrade;sudo apt-get dist-upgrade do-release-upgrade sudo reboot
Once you have OpenSSL1.0.2, you should link Nginx with new version of OpenSSL.
go to the HTTP/2 test page again, you will see that ALPN is supported by your server.