From 54de6a5084df4c2bb39e61c3da36b95309365214 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <dw@edgeless.systems>
Date: Wed, 16 Oct 2024 15:57:53 +0200
Subject: [PATCH] Advertise ALPN settings in NextProtos required by gRPC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---
 internal/atls/atls.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/internal/atls/atls.go b/internal/atls/atls.go
index 1fff52d17..34a80bbff 100644
--- a/internal/atls/atls.go
+++ b/internal/atls/atls.go
@@ -70,6 +70,7 @@ func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator) (*t
 		InsecureSkipVerify:    true,                                           // disable default verification because we use our own verify func
 		ServerName:            base64.StdEncoding.EncodeToString(clientNonce), // abuse ServerName as a channel to transmit the nonce
 		MinVersion:            tls.VersionTLS12,
+		NextProtos:            []string{"http/1.1", "h2"}, // grpc-go requires us to advertise HTTP/2 (h2) over ALPN
 	}, nil
 }
 
@@ -114,6 +115,7 @@ func getATLSConfigForClientFunc(issuer Issuer, validators []Validator) (func(*tl
 			VerifyPeerCertificate: serverConn.verify,
 			GetCertificate:        serverConn.getCertificate,
 			MinVersion:            tls.VersionTLS12,
+			NextProtos:            []string{"http/1.1", "h2"}, // grpc-go requires us to advertise HTTP/2 (h2) over ALPN
 		}
 
 		// enable mutual aTLS if any validators are set