Difference Between NPN and ALPN & How to Enable ALPN in Apache/Nginx

NPN (Next Protocol Negotiation) and ALPN (Application Layer Protocol Negotiation) are both TLS extensions. Since https, SPDY and HTTP/2 operate on port 443, the client and server need to negotiate what application layer protocol (plain http/1.1, SPDY or HTTP/2) to use after SSL/TLS secure connection is established between client and server.

Difference Between NPN and ALPN

SPDY uses NPN to negotiate application layer protocol whereas HTTP/2 utilize ALPN to negotiate. In order to understand the difference between NPN and ALPN, you must have a basic understanding of how SSL/TLS handshake works.

Both NPN and ALPN are used when client and server are establishing SSL/TLS connection. ALPN avoids an additional round trip because the client list the application layer protocols supported by the client in the client hello message. The server choose a protocol and includes it in the server hello message. In NPN the server list the supported protocols in the server hello message and let the client to choose. ALPN is a successor to NPN.

How ALPN Works

                Src: ietf.com

The following screenshot of wireshark capture shows that the client lists three protocols h2, spdy/3.1 and http/1.1.

NPN and ALPN

And this screenshot of wireshark capture shows that the server choose h2 as the application layer protocol.

ALPN server hello

How to Enable ALPN

ALPN requires OpenSSL 1.0.2. Most Linux server distributions nowadays ship with a much newer version of OpenSSL, such as OpenSSL 1.1.1 on Ubuntu 18.04. You can check your server’s OpenSSL version by issuing the following command:

$ openssl version

Sample output:

OpenSSL 1.1.1 11 Sep 2018

ALPN is used in HTTP/2, so you need to enable HTTP/2 on your server. Check out the following post to see how it’s done.

How to Check ALPN Support on Your Server

After you enables HTTP/2 on your site, go to https://tools.keycdn.com/http2-test to check if ALPN is supported by your server.

check ALPN support

You can also test ALPN support by your sever with the following command:

echo | openssl s_client -alpn h2 -connect yourdomain.com:443 | grep ALPN

If your server does not support ALPN then you will see No ALPN negotiated.

Selection_035

If your server supports ALPN then you will get ALPN protocol: h2.

ALPN vs NPN

Wrapping UP

I hope this article helped you understand the difference between NPN and ALPN. As always, if you found this post useful,  subscribe to our free newsletter to get more tips and tricks 🙂

Rate this tutorial
[Total: 6 Average: 4.3]

2 Responses to “Difference Between NPN and ALPN & How to Enable ALPN in Apache/Nginx

  • Privacy Matters
    4 years ago

    FYI, the username and hostname wasn’t blurred in one of the screenshots.

    • Xiao Guoan (Admin)
      4 years ago

      Thanks for pointing it out. It’s now blurred.

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here