From 94ee3aac02441c15524a5c1f60687d8e6a227c85 Mon Sep 17 00:00:00 2001
From: Stuart Douglas <stuart.w.douglas@gmail.com>
Date: Tue, 21 Mar 2017 11:06:54 +1100
Subject: [PATCH] UNDERTOW-1027 Check enabled protocols as well as ciphers when
 determining ALPN avaibility

---
 .../server/protocol/http/AlpnOpenListener.java    | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/core/src/main/java/io/undertow/server/protocol/http/AlpnOpenListener.java b/core/src/main/java/io/undertow/server/protocol/http/AlpnOpenListener.java
index 959288460f..767e859550 100644
--- a/core/src/main/java/io/undertow/server/protocol/http/AlpnOpenListener.java
+++ b/core/src/main/java/io/undertow/server/protocol/http/AlpnOpenListener.java
@@ -63,6 +63,7 @@ public class AlpnOpenListener implements ChannelListener<StreamConnection>, Open
      * HTTP/2 required cipher. Not strictly part of ALPN but it can live here for now till we have a better solution.
      */
     public static final String REQUIRED_CIPHER = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
+    public static final String REQUIRED_PROTOCOL = "TLSv1.2";
 
     private final ALPNManager alpnManager = ALPNManager.INSTANCE; //todo: configurable
     private final ByteBufferPool bufferPool;
@@ -251,6 +252,20 @@ public void handleEvent(final StreamConnection channel) {
     }
 
     public static boolean engineSupportsHTTP2(SSLEngine engine) {
+        //check to make sure the engine meets the minimum requirements for HTTP/2
+        //if not then ALPN will not be attempted
+        String[] protcols = engine.getEnabledProtocols();
+        boolean found = false;
+        for(String proto : protcols) {
+            if(proto.equals(REQUIRED_PROTOCOL)) {
+                found = true;
+                break;
+            }
+        }
+        if(!found) {
+            return false;
+        }
+
         String[] ciphers = engine.getEnabledCipherSuites();
         for (String i : ciphers) {
             if (i.equals(REQUIRED_CIPHER)) {