Another overhead for HTTP1, we initialize h2 context(including hpack) even for http1. Would be better to do it, when we know protocol.

@krizhanovsky Why do we init higher layer protocol context(http and http2) before finishing lower layer connection establishing, I mean TLS. Is there a reason or just implemented this way?

Yes, this is kind of reversion of 3c97cb23d - we should initialize HTTP/2 context only for HTTP/2 connections. Note also #1422 - another HTTP/2 -related regression in HTTP/1.

@const-t Frankly, I don't remember why do we initialize HTTP/2 context before finishing TLS handshake. It makes sense to allocate memory necessary for HTTP/2 early to improve spacial locality and reduce number of allocator calls. But for now for me it seems that we can initialize the context later... Need to check commits history - I suppose this point should have been discussed at some point.

Another overhead for HTTP1, we initialize h2 context(including hpack) even for http1. Would be better to do it, when we know protocol.

I replace initialization h2 context for TFW_FSM_H2_HTTPS to tfw_http_msg_process

I suggesting another solution, please consider it:

1. Postpone all initialization of http2/http1 proto after handshake completeness.
2. Add to ss_proto_t flag negotiable or similar.
3. By default always use TFW_FSM_H2 or TFW_FSM_HTTP/S proto type.
4. If negotiable is true, at ALPN matching stage you just change the proto, to specified by ALPN.

With this approach we don't need TFW_FSM_H2_HTTPS dummy state.

Can we do this way?

bool
tfw_tls_alpn_match(const TlsCtx *tls, const ttls_alpn_proto *alpn)
{
	int sk_proto = ((SsProto *)tls->sk->sk_user_data)->type;
	TfwConn *conn = (TfwConn*)tls->sk->sk_user_data;

	/* Downgrade from HTTP2 to HTTP1. */
	if (sk_proto & Conn_Negotiable && alpn->id == TTLS_ALPN_ID_HTTP1) {
		conn->proto.type = (conn->proto.type & ~TFW_GFSM_FSM_MASK) |
					TFW_FSM_HTTPS;
		return true;
	}

	if (TFW_FSM_TYPE(sk_proto) == TFW_FSM_H2
	    && alpn->id == TTLS_ALPN_ID_HTTP2)
		return true;

	if (TFW_FSM_TYPE(sk_proto) == TFW_FSM_HTTPS
	    && alpn->id == TTLS_ALPN_ID_HTTP1)
		return true;

	return false;
}

And I would prefer to move:

if (tfw_h2_context_init(tfw_h2_context(conn))) {
    T_ERR("cannot establish a new h2 connection\n");
    return false;
}

to tfw_tls_over() callback, yes we add another one if branch to check proto, but from my point of view we can sacrifice this branch for better code. In this case tfw_tls_alpn_match will have only one responsibility - match alpn. But the part about context initiating is up to you.

Why do we need this?

Return this blank line please.

Please add comment to the code that describes why we have this condition.