Is ALPN mandatory for server to establish TLSv1.3 connection via http/2 ("h2") protocol?

Question

I know, that if we talk about non secured connection, it is possible to establish connection via http/2 protocol without ALPN. But what about TLS connection? In RFC said:

   A client MUST send the connection preface (Section 3.5) and then MAY
   immediately send HTTP/2 frames to such a server; servers can identify
   these connections by the presence of the connection preface.  This
   only affects the establishment of HTTP/2 connections over cleartext
   TCP; **implementations that support HTTP/2 over TLS MUST use protocol
   negotiation in TLS [TLS-ALPN]**.

Does it mean that both server and client must use ALPN to establish connection via TLS and http2? Or there are workarounds and other options?

Answer 1

A compliant HTTP/2 client must send the ALPN extension for HTTP/2 over TLS.

However, what would a server do if the ALPN extension is not present? This may happen with old clients, or non-compliant clients, or attackers.

The server could be legitimately configured to speak only HTTP/2 (for example, https://h2.domain.com), so it may assume that the protocol being spoken is h2 without the need of negotiating it via ALPN. This is an implementation/configuration choice. (Another valid choice could be to just close the connection if ALPN is absent).

The RFC also discusses the role of ALPN for cross-protocol attacks, see this section.

I think the intent of the RFC is to mandate the use of ALPN; however, a server should be prepared to receive connection attempts without ALPN, and at that point it can be configured to either close the connection or assume a default protocol, which is typically http/1.1, but could as well be h2.

Keep in mind that you may always use TLS without ALPN and perform an HTTP/1.1 to HTTP/2 upgrade request (where, like in ALPN, you declare what protocol you want to upgrade to), which would typically succeed as servers should support HTTP/1.1 to HTTP/2 upgrade. So you would be able to speak HTTP/2 to such servers, after the upgrade, even without ALPN.

A server may assume that if ALPN is missing, the client wants to try with an HTTP/1.1 to HTTP/2 upgrade. If the server does not see the upgrade (but directly the HTTP/2 client preface), it may reply with 426 Upgrade Required (see here).