Prefer HTTP/1.1 in ALPN negotiation, unless only H2 is supported

pimterry · pimterry · commit 4fa5a98668f8 · 2025-06-13T17:28:26.000+02:00
This is useful because it's simpler for many end use cases, and with the
new SNI endpoints you can now externally control it anyway (e.g.
http2.http1.testserver.host will prefer HTTP/2 but support both).
diff --git a/src/tls-handler.ts b/src/tls-handler.ts
@@ -14,7 +14,8 @@ interface TlsHandlerConfig {
     };
 }
 
-const supportedProtocolFilters: { [key: string]: string } = {
+const DEFAULT_ALPN_PROTOCOLS = ['http/1.1', 'h2'];
+const SNI_PROTOCOL_FILTERS: { [key: string]: string } = {
     'http2': 'h2',
     'http1': 'http/1.1'
 };
@@ -41,14 +42,16 @@ export async function createTlsHandler(
             const serverNameParts = getSNIPrefixParts(servername, tlsConfig.rootDomain);
 
             let protocolFilterNames = serverNameParts.filter(protocol =>
-                supportedProtocolFilters[protocol]
+                SNI_PROTOCOL_FILTERS[protocol]
             );
             const serverProtocols = protocolFilterNames.length > 0
-                ? protocolFilterNames.map(protocol => supportedProtocolFilters[protocol])
-                : Object.values(supportedProtocolFilters);
+                ? protocolFilterNames.map(protocol => SNI_PROTOCOL_FILTERS[protocol])
+                : DEFAULT_ALPN_PROTOCOLS;
 
-            // Follow the clients preferences, within the protocols we support:
-            return clientProtocols.find(protocol => serverProtocols.includes(protocol));
+            // Enforce our own protocol preference over the client's (they can
+            // specify a preference via SNI, if they so choose). This also means
+            // we accept a preference order in our SNI as well e.g. http2.http1.*.
+            return serverProtocols.find(protocol => clientProtocols.includes(protocol));
         },
         SNICallback: (domain: string, cb: Function) => {
             const serverNameParts = getSNIPrefixParts(domain, tlsConfig.rootDomain);
diff --git a/test/https.spec.ts b/test/https.spec.ts
@@ -66,7 +66,7 @@ Connection: keep-alive
         expect(result).to.equal('Failed: Client network socket disconnected before secure TLS connection was established');
     });
 
-    it("negotiates http2 for http2.*", async () => {
+    it("negotiate http2 for http2.*", async () => {
         const conn = tls.connect({
             port: serverPort,
             servername: 'http2.localhost',
@@ -83,7 +83,7 @@ Connection: keep-alive
         expect(selectedProtocol).to.equal('h2');
     });
 
-    it("negotiates http1.1 for http1.*", async () => {
+    it("negotiate http1.1 for http1.*", async () => {
         const conn = tls.connect({
             port: serverPort,
             servername: 'http1.localhost',
@@ -100,11 +100,29 @@ Connection: keep-alive
         expect(selectedProtocol).to.equal('http/1.1');
     });
 
-    it("follows client ALPN preference if all are supported", async () => {
+    it("can use multiple SNI parts to control ALPN preference order", async () => {
+        const conn = tls.connect({
+            port: serverPort,
+            servername: 'http2.http1.localhost',
+            ALPNProtocols: ['http/1.1', 'h2'],
+            rejectUnauthorized: false // Needed as it's untrusted
+        });
+
+        const selectedProtocol = await new Promise<any>((resolve, reject) => {
+            conn.on('secureConnect', () => resolve(conn.alpnProtocol));
+            conn.on('error', reject);
+        });
+        conn.destroy();
+
+        expect(selectedProtocol).to.equal('h2');
+    });
+
+    it("overrides client ALPN preference if no preference is shown, unless forced", async () => {
         await Promise.all([
-            ['h2', 'http/1.1'],
-            ['http/1.1', 'h2']
-        ].map(async (protocols) => {
+            { protocols: ['h2', 'http/1.1'], expected: 'http/1.1' },
+            { protocols: ['http/1.1', 'h2'], expected: 'http/1.1' },
+            { protocols: ['h2'], expected: 'h2' }
+        ].map(async ({ protocols, expected }) => {
             const conn = tls.connect({
                 port: serverPort,
                 servername: 'do-anything.localhost',
@@ -117,7 +135,7 @@ Connection: keep-alive
                 conn.on('error', reject);
             });
             conn.destroy();
-            expect(selectedProtocol).to.equal(protocols[0]);
+            expect(selectedProtocol).to.equal(expected);
         }));
     });
 
