Skip to content

Require ALPN when forcing HTTP/2 over TLS#631

Merged
arturobernalg merged 1 commit intoapache:masterfrom
arturobernalg:ALPNnegotiation
Feb 22, 2026
Merged

Require ALPN when forcing HTTP/2 over TLS#631
arturobernalg merged 1 commit intoapache:masterfrom
arturobernalg:ALPNnegotiation

Conversation

@arturobernalg
Copy link
Copy Markdown
Member

@arturobernalg arturobernalg commented Feb 21, 2026

This PR fixes a conformance issue in the FORCE_HTTP_2 negotiation path: when running over TLS, the client could proceed with strictALPNHandshake=false and send the HTTP/2 preface even if ALPN was missing/empty (or not h2). For HTTPS, HTTP/2 startup must be explicitly negotiated via ALPN; otherwise the connection should fail fast.

RFC 9113 3.2 (Starting HTTP/2 for “https” URIs)
“A client that makes a request to an "https" URI uses TLS [TLS13] with the ALPN extension [TLS-ALPN].”

RFC 9113 3.3 (Starting HTTP/2 with Prior Knowledge)
“This only affects the establishment of HTTP/2 connections over cleartext TCP; HTTP/2 connections over TLS MUST use protocol negotiation in TLS [TLS-ALPN].”

@arturobernalg
Enforce ALPN when forcing HTTP/2 over TLS
e8bc154 
When endpoint policy is FORCE_HTTP_2, require strict ALPN negotiation on TLS
sessions and fail if 'h2' is not negotiated (missing/empty/other protocol).
RFC 9113 §3.2, §3.3: HTTP/2 over TLS MUST use protocol negotiation in TLS (ALPN).
@arturobernalg arturobernalg requested a review from ok2c February 21, 2026 08:31
@arturobernalg arturobernalg merged commit 60e3d2c into apache:master Feb 22, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ok2c ok2c ok2c approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arturobernalg @ok2c