diff --git a/configure.ac b/configure.ac
index 198c8e77d..726181904 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1565,6 +1565,19 @@ AC_ARG_ENABLE([maxfragment],
     [ ENABLED_MAX_FRAGMENT=no ]
     )
 
+# ALPN
+AC_ARG_ENABLE([alpn],
+    [  --enable-alpn            Enable ALPN (default: disabled)],
+    [ ENABLED_ALPN=$enableval ],
+    [ ENABLED_ALPN=no ]
+    )
+
+if test "x$ENABLED_ALPN" = "xyes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN"
+fi
+
+# Maximum Fragment Length
 if test "x$ENABLED_MAX_FRAGMENT" = "xyes"
 then
     AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_MAX_FRAGMENT"
@@ -1647,7 +1660,8 @@ then
 	ENABLED_MAX_FRAGMENT=yes
 	ENABLED_TRUNCATED_HMAC=yes
 	ENABLED_SUPPORTED_CURVES=yes
-    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_SUPPORTED_CURVES"
+	ENABLED_ALPN=yes
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_SUPPORTED_CURVES -DHAVE_ALPN"
 fi
 
 # PKCS7
@@ -2474,6 +2488,7 @@ echo "   * Atomic User Record Layer:  $ENABLED_ATOMICUSER"
 echo "   * Public Key Callbacks:      $ENABLED_PKCALLBACKS"
 echo "   * NTRU:                      $ENABLED_NTRU"
 echo "   * SNI:                       $ENABLED_SNI"
+echo "   * ALPN:                      $ENABLED_ALPN"
 echo "   * Maximum Fragment Length:   $ENABLED_MAX_FRAGMENT"
 echo "   * Truncated HMAC:            $ENABLED_TRUNCATED_HMAC"
 echo "   * Renegotiation Indication:  $ENABLED_RENEGOTIATION_INDICATION"
diff --git a/examples/client/client.c b/examples/client/client.c
index 3317dcb9c..fbb9cb979 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -146,6 +146,9 @@ static void Usage(void)
                                  DEFAULT_MIN_DHKEY_BITS);
 #endif
     printf("-b <num>    Benchmark <num> connections and print stats\n");
+#ifdef HAVE_ALPN
+    printf("-L <str>    Application-Layer Protocole Name ({C,F}:<list>)\n");
+#endif
     printf("-s          Use pre Shared keys\n");
     printf("-t          Track wolfSSL memory use\n");
     printf("-d          Disable peer checks\n");
@@ -243,6 +246,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     int    pkCallbacks   = 0;
     int    overrideDateErrors = 0;
     int    minDhKeyBits  = DEFAULT_MIN_DHKEY_BITS;
+    char*  alpnList = NULL;
+    unsigned char alpn_opt = 0;
     char*  cipherList = NULL;
     const char* verifyCert = caCert;
     const char* ourCert    = cliCert;
@@ -289,11 +294,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     (void)overrideDateErrors;
     (void)disableCRL;
     (void)minDhKeyBits;
+    (void)alpnList;
+    (void)alpn_opt;
 
     StackTrap();
 
     while ((ch = mygetopt(argc, argv,
-                          "?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:F:ToO:a"))
+                          "?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:L:ToO:an:"))
                                                                         != -1) {
         switch (ch) {
             case '?' :
@@ -492,6 +499,24 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                 #endif
                 break;
 
+            case 'n' :
+                #ifdef HAVE_ALPN
+                    alpnList = myoptarg;
+
+                    if (alpnList[0] == 'C' && alpnList[1] == ':')
+                        alpn_opt = WOLFSSL_ALPN_CONTINUE_ON_MISMATCH;
+                    else if (alpnList[0] == 'F' && alpnList[1] == ':')
+                        alpn_opt = WOLFSSL_ALPN_FAILED_ON_MISMATCH;
+                    else {
+                        Usage();
+                        exit(MY_EX_USAGE);
+                    }
+
+                    alpnList += 2;
+
+                #endif
+                break;
+
             default:
                 Usage();
                 exit(MY_EX_USAGE);
@@ -797,6 +822,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     #ifdef HAVE_SESSION_TICKET
     wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");
     #endif
+
+#ifdef HAVE_ALPN
+    if (alpnList != NULL) {
+       printf("ALPN accepted protocols list : %s\n", alpnList);
+       wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt);
+    }
+#endif
+
     if (doDTLS) {
         SOCKADDR_IN_T addr;
         build_addr(&addr, host, port, 1);
@@ -865,6 +898,23 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #endif
     showPeer(ssl);
 
+#ifdef HAVE_ALPN
+    if (alpnList != NULL) {
+        int err;
+        char *protocol_name = NULL;
+        word16 protocol_nameSz = 0;
+
+        err = wolfSSL_ALPN_GetProtocol(ssl, &protocol_name, &protocol_nameSz);
+        if (err == SSL_SUCCESS)
+            printf("Received ALPN protocol : %s (%d)\n",
+                   protocol_name, protocol_nameSz);
+        else if (err == SSL_ALPN_NOT_FOUND)
+            printf("No ALPN response received (no match with server)\n");
+        else
+            printf("Getting ALPN protocol name failed\n");
+    }
+#endif
+
 #ifdef HAVE_SECURE_RENEGOTIATION
     if (scr && forceScr) {
         if (nonBlocking) {
@@ -952,6 +1002,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             tcp_connect(&sockfd, host, port, 0);
         }
         wolfSSL_set_fd(sslResume, sockfd);
+#ifdef HAVE_ALPN
+        if (alpnList != NULL) {
+            printf("ALPN accepted protocols list : %s\n", alpnList);
+            wolfSSL_UseALPN(sslResume, alpnList, (word32)XSTRLEN(alpnList),
+                            alpn_opt);
+        }
+#endif
 #ifdef HAVE_SECURE_RENEGOTIATION
         if (scr) {
             if (wolfSSL_UseSecureRenegotiation(sslResume) != SSL_SUCCESS)
@@ -984,6 +1041,24 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         else
             printf("didn't reuse session id!!!\n");
 
+#ifdef HAVE_ALPN
+        if (alpnList != NULL) {
+            int err;
+            char *protocol_name = NULL;
+            word16 protocol_nameSz = 0;
+
+            printf("Sending ALPN accepted list : %s\n", alpnList);
+            err = wolfSSL_ALPN_GetProtocol(sslResume, &protocol_name,
+                                           &protocol_nameSz);
+            if (err == SSL_SUCCESS)
+                printf("Received ALPN protocol : %s (%d)\n",
+                       protocol_name, protocol_nameSz);
+            else if (err == SSL_ALPN_NOT_FOUND)
+                printf("Not received ALPN response (no match with server)\n");
+            else
+                printf("Getting ALPN protocol name failed\n");
+        }
+#endif
         if (wolfSSL_write(sslResume, resumeMsg, resumeSz) != resumeSz)
             err_sys("SSL_write failed");
 
diff --git a/examples/server/server.c b/examples/server/server.c
index 07f3012e4..014342af3 100644
--- a/examples/server/server.c
+++ b/examples/server/server.c
@@ -135,6 +135,9 @@ static void Usage(void)
     printf("-D <file>   Diffie-Hellman Params file, default %s\n", dhParam);
     printf("-Z <num>    Minimum DH key bits,        default %d\n",
                                  DEFAULT_MIN_DHKEY_BITS);
+#endif
+#ifdef HAVE_ALPN
+    printf("-L <str>    Application-Layer Protocole Name ({C,F}:<list>)\n");
 #endif
     printf("-d          Disable client cert check\n");
     printf("-b          Bind to any interface instead of localhost only\n");
@@ -194,6 +197,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     int    resume = 0;            /* do resume, and resume count */
     int    minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
     int    ret;
+    char*  alpnList = NULL;
+    unsigned char alpn_opt = 0;
     char*  cipherList = NULL;
     const char* verifyCert = cliCert;
     const char* ourCert    = svrCert;
@@ -232,12 +237,14 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     (void)useNtruKey;
     (void)doCliCertCheck;
     (void)minDhKeyBits;
+    (void)alpnList;
+    (void)alpn_opt;
 
 #ifdef CYASSL_TIRTOS
     fdOpenSession(Task_self());
 #endif
 
-    while ((ch = mygetopt(argc, argv, "?dbstnNufrRawPIp:v:l:A:c:k:Z:S:oO:D:"))
+    while ((ch = mygetopt(argc, argv, "?dbstnNufrRawPIp:v:l:A:c:k:Z:S:oO:D:L:"))
                          != -1) {
         switch (ch) {
             case '?' :
@@ -376,6 +383,23 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
                 #endif
                 break;
 
+            case 'L' :
+                #ifdef HAVE_ALPN
+                    alpnList = myoptarg;
+
+                    if (alpnList[0] == 'C' && alpnList[1] == ':')
+                        alpn_opt = WOLFSSL_ALPN_CONTINUE_ON_MISMATCH;
+                    else if (alpnList[0] == 'F' && alpnList[1] == ':')
+                        alpn_opt = WOLFSSL_ALPN_FAILED_ON_MISMATCH;
+                    else {
+                        Usage();
+                        exit(MY_EX_USAGE);
+                    }
+
+                    alpnList += 2;
+
+                #endif
+                break;
             default:
                 Usage();
                 exit(MY_EX_USAGE);
@@ -622,6 +646,14 @@ while (1) {  /* allow resume option */
     }
 
     SSL_set_fd(ssl, clientfd);
+
+#ifdef HAVE_ALPN
+    if (alpnList != NULL) {
+        printf("ALPN accepted protocols list : %s\n", alpnList);
+        wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt);
+    }
+#endif
+
 #ifdef WOLFSSL_DTLS
     if (doDTLS) {
         SOCKADDR_IN_T cliaddr;
@@ -664,6 +696,23 @@ while (1) {  /* allow resume option */
 #endif
     showPeer(ssl);
 
+#ifdef HAVE_ALPN
+    if (alpnList != NULL) {
+        int err;
+        char *protocol_name = NULL;
+        word16 protocol_nameSz = 0;
+
+        err = wolfSSL_ALPN_GetProtocol(ssl, &protocol_name, &protocol_nameSz);
+        if (err == SSL_SUCCESS)
+            printf("Sent ALPN protocol : %s (%d)\n",
+                   protocol_name, protocol_nameSz);
+        else if (err == SSL_ALPN_NOT_FOUND)
+            printf("No ALPN response sent (no match)\n");
+        else
+            printf("Getting ALPN protocol name failed\n");
+    }
+#endif
+
     idx = SSL_read(ssl, input, sizeof(input)-1);
     if (idx > 0) {
         input[idx] = 0;
diff --git a/src/internal.c b/src/internal.c
index 14c77f86f..6c7542ea1 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -8569,6 +8569,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
     case RSA_SIGN_FAULT:
         return "RSA Signature Fault Error";
 
+    case UNKNOWN_ALPN_PROTOCOL_NAME_E:
+        return "Unrecognized protocol name Error";
+
     case HANDSHAKE_SIZE_ERROR:
         return "Handshake message too large Error";
 
diff --git a/src/ssl.c b/src/ssl.c
index 12311a78f..e96705102 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -884,6 +884,76 @@ int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, word16 name)
 #endif /* NO_WOLFSSL_CLIENT */
 #endif /* HAVE_QSH */
 
+
+/* Application-Layer Procotol Name */
+#ifdef HAVE_ALPN
+
+int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list,
+                    word32 protocol_name_listSz, byte options)
+{
+    char    *list, *ptr, *token[10];
+    word16  len;
+    int     idx = 0;
+    int     ret = SSL_FAILURE;
+
+    WOLFSSL_ENTER("wolfSSL_UseALPN");
+
+    if (ssl == NULL || protocol_name_list == NULL)
+        return BAD_FUNC_ARG;
+
+    if (protocol_name_listSz > (WOLFSSL_MAX_ALPN_NUMBER *
+                                WOLFSSL_MAX_ALPN_PROTO_NAME_LEN +
+                                WOLFSSL_MAX_ALPN_NUMBER)) {
+        WOLFSSL_MSG("Invalid arguments, protocol name list too long");
+        return BAD_FUNC_ARG;
+    }
+
+    if (!(options & WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) &&
+        !(options & WOLFSSL_ALPN_FAILED_ON_MISMATCH)) {
+            WOLFSSL_MSG("Invalid arguments, options not supported");
+            return BAD_FUNC_ARG;
+        }
+
+
+    list = (char *)XMALLOC(protocol_name_listSz+1, NULL,
+                           DYNAMIC_TYPE_TMP_BUFFER);
+    if (list == NULL) {
+        WOLFSSL_MSG("Memory failure");
+        return MEMORY_ERROR;
+    }
+
+    XMEMSET(list, 0, protocol_name_listSz+1);
+    XSTRNCPY(list, protocol_name_list, protocol_name_listSz);
+
+    /* read all protocol name from the list */
+    token[idx] = XSTRTOK(list, ",", &ptr);
+    while (token[idx] != NULL)
+        token[++idx] = XSTRTOK(NULL, ",", &ptr);
+
+    /* add protocol name list in the TLS extension in reverse order */
+    while ((idx--) > 0) {
+        len = (word16)XSTRLEN(token[idx]);
+
+        ret = TLSX_UseALPN(&ssl->extensions, token[idx], len, options);
+        if (ret != SSL_SUCCESS) {
+            WOLFSSL_MSG("TLSX_UseALPN failure");
+            break;
+        }
+    }
+
+    XFREE(list, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+}
+
+int wolfSSL_ALPN_GetProtocol(WOLFSSL* ssl, char **protocol_name, word16 *size)
+{
+    return TLSX_ALPN_GetRequest(ssl ? ssl->extensions : NULL,
+                           (void **)protocol_name, size);
+}
+
+#endif /* HAVE_ALPN */
+
 /* Secure Renegotiation */
 #ifdef HAVE_SECURE_RENEGOTIATION
 
diff --git a/src/tls.c b/src/tls.c
index 5d4657941..cece0696c 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -845,6 +845,327 @@ void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type)
 
 #endif
 
+
+#ifdef HAVE_ALPN
+/** Creates a new ALPN object, providing protocol name to use. */
+static ALPN* TLSX_ALPN_New(char *protocol_name, word16 protocol_nameSz)
+{
+    ALPN *alpn;
+
+    WOLFSSL_ENTER("TLSX_ALPN_New");
+
+    if (protocol_name == NULL ||
+        protocol_nameSz > WOLFSSL_MAX_ALPN_PROTO_NAME_LEN) {
+        WOLFSSL_MSG("Invalid arguments");
+        return NULL;
+    }
+
+    alpn = (ALPN*)XMALLOC(sizeof(ALPN), 0, DYNAMIC_TYPE_TLSX);
+    if (alpn == NULL) {
+        WOLFSSL_MSG("Memory failure");
+        return NULL;
+    }
+
+    alpn->next = NULL;
+    alpn->negociated = 0;
+    alpn->options = 0;
+
+    alpn->protocol_name = XMALLOC(protocol_nameSz + 1, 0, DYNAMIC_TYPE_TLSX);
+    if (alpn->protocol_name == NULL) {
+        WOLFSSL_MSG("Memory failure");
+        XFREE(alpn, 0, DYNAMIC_TYPE_TLSX);
+        return NULL;
+    }
+
+    XMEMCPY(alpn->protocol_name, protocol_name, protocol_nameSz);
+    alpn->protocol_name[protocol_nameSz] = 0;
+
+    return alpn;
+}
+
+/** Releases an ALPN object. */
+static void TLSX_ALPN_Free(ALPN *alpn)
+{
+    if (alpn == NULL)
+        return;
+
+    XFREE(alpn->protocol_name, 0, DYNAMIC_TYPE_TLSX);
+    XFREE(alpn, 0, DYNAMIC_TYPE_TLSX);
+}
+
+/** Releases all ALPN objects in the provided list. */
+static void TLSX_ALPN_FreeAll(ALPN *list)
+{
+    ALPN* alpn;
+
+    while ((alpn = list)) {
+        list = alpn->next;
+        TLSX_ALPN_Free(alpn);
+    }
+}
+
+/** Tells the buffered size of the ALPN objects in a list. */
+static word16 TLSX_ALPN_GetSize(ALPN *list)
+{
+    ALPN* alpn;
+    word16 length = OPAQUE16_LEN; /* list length */
+
+    while ((alpn = list)) {
+        list = alpn->next;
+
+        length++; /* protocol name length is on one byte */
+        length += (word16)XSTRLEN(alpn->protocol_name);
+    }
+    
+    return length;
+}
+
+/** Writes the ALPN objects of a list in a buffer. */
+static word16 TLSX_ALPN_Write(ALPN *list, byte *output)
+{
+    ALPN* alpn;
+    word16 length = 0;
+    word16 offset = OPAQUE16_LEN; /* list length offset */
+
+    while ((alpn = list)) {
+        list = alpn->next;
+
+        length = (word16)XSTRLEN(alpn->protocol_name);
+
+        /* protocol name length */
+        output[offset++] = (byte)length;
+
+        /* protocol name value */
+        XMEMCPY(output + offset, alpn->protocol_name, length);
+
+        offset += length;
+    }
+
+    /* writing list length */
+    c16toa(offset - OPAQUE16_LEN, output);
+    
+    return offset;
+}
+
+/** Finds a protocol name in the provided ALPN list */
+static ALPN* TLSX_ALPN_Find(ALPN *list, char *protocol_name, word16 size)
+{
+    ALPN *alpn;
+
+    if (list == NULL || protocol_name == NULL)
+        return NULL;
+
+    alpn = list;
+    while (alpn != NULL && (
+           (word16)XSTRLEN(alpn->protocol_name) != size ||
+           XSTRNCMP(alpn->protocol_name, protocol_name, size)))
+        alpn = alpn->next;
+
+    return alpn;
+}
+
+/** Set the ALPN matching client and server requirements */
+static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size)
+{
+    ALPN *alpn;
+    int  ret;
+
+    if (extensions == NULL || data == NULL)
+        return BAD_FUNC_ARG;
+
+    alpn = TLSX_ALPN_New((char *)data, size);
+    if (alpn == NULL) {
+        WOLFSSL_MSG("Memory failure");
+        return MEMORY_E;
+    }
+
+    alpn->negociated = 1;
+
+    ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn);
+    if (ret != 0) {
+        TLSX_ALPN_Free(alpn);
+        return ret;
+    }
+
+    return SSL_SUCCESS;
+}
+
+/** Parses a buffer of ALPN extensions and set the first one matching
+ * client and server requirements */
+static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length,
+                                 byte isRequest)
+{
+    word16 size = 0;
+    word16 offset = 0;
+    int    r = BUFFER_ERROR;
+    TLSX   *extension;
+    ALPN   *alpn = NULL, *list;
+
+    extension = TLSX_Find(ssl->extensions, WOLFSSL_ALPN);
+    if (extension == NULL)
+        extension = TLSX_Find(ssl->ctx->extensions, WOLFSSL_ALPN);
+
+    if (extension == NULL || extension->data == NULL) {
+        WOLFSSL_MSG("No ALPN extensions not used or bad");
+        return isRequest ? 0             /* not using ALPN */
+                         : BUFFER_ERROR; /* unexpected ALPN response */
+    }
+
+    if (OPAQUE16_LEN > length)
+        return BUFFER_ERROR;
+
+    ato16(input, &size);
+    offset += OPAQUE16_LEN;
+
+    /* validating alpn list length */
+    if (length != OPAQUE16_LEN + size)
+        return BUFFER_ERROR;
+
+    list = (ALPN*)extension->data;
+
+    for (size = 0; offset < length; offset += size) {
+
+        size = input[offset++];
+        if (offset + size > length)
+            return BUFFER_ERROR;
+
+        alpn = TLSX_ALPN_Find(list, (char*)input + offset, size);
+        if (alpn != NULL) {
+            WOLFSSL_MSG("ALPN protocol match");
+            break;
+        }
+    }
+
+    if (alpn == NULL) {
+        WOLFSSL_MSG("No ALPN protocol match");
+
+        /* do nothing if no protocol match between client and server and option
+         is set to continue (like OpenSSL) */
+        if (list->options & WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) {
+            WOLFSSL_MSG("Continue on mismatch");
+            return 0;
+        }
+
+        SendAlert(ssl, alert_fatal, no_application_protocol);
+        return UNKNOWN_ALPN_PROTOCOL_NAME_E;
+    }
+
+    /* set the matching negociated protocol */
+    r = TLSX_SetALPN(&ssl->extensions,
+                     alpn->protocol_name,
+                     (word16)XSTRLEN(alpn->protocol_name));
+    if (r != SSL_SUCCESS) {
+        WOLFSSL_MSG("TLSX_UseALPN failed");
+        return BUFFER_ERROR;
+    }
+
+    /* reply to ALPN extension sent from client */
+    if (isRequest) {
+#ifndef NO_WOLFSSL_SERVER
+        TLSX_SetResponse(ssl, WOLFSSL_ALPN);
+#endif
+    }
+
+    return 0;
+}
+
+/** Add a protocol name to the list of accepted usable ones */
+int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options)
+{
+    ALPN *alpn;
+    TLSX *extension;
+    int  ret;
+
+    if (extensions == NULL || data == NULL)
+        return BAD_FUNC_ARG;
+
+    alpn = TLSX_ALPN_New((char *)data, size);
+    if (alpn == NULL) {
+        WOLFSSL_MSG("Memory failure");
+        return MEMORY_E;
+    }
+
+    /* Set Options of ALPN */
+    alpn->options = options;
+
+    extension = TLSX_Find(*extensions, WOLFSSL_ALPN);
+    if (extension == NULL) {
+        ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn);
+        if (ret != 0) {
+            TLSX_ALPN_Free(alpn);
+            return ret;
+        }
+    }
+    else {
+        /* push new ALPN object to extension data. */
+        alpn->next = (ALPN*)extension->data;
+        extension->data = (void*)alpn;
+    }
+
+    return SSL_SUCCESS;
+}
+
+/** Get the protocol name set by the server */
+int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz)
+{
+    TLSX *extension;
+    ALPN *alpn;
+
+    if (extensions == NULL || data == NULL || dataSz == NULL)
+        return BAD_FUNC_ARG;
+
+    extension = TLSX_Find(extensions, WOLFSSL_ALPN);
+    if (extension == NULL) {
+        WOLFSSL_MSG("TLS extension not found");
+        return SSL_ALPN_NOT_FOUND;
+    }
+
+    alpn = (ALPN *)extension->data;
+    if (alpn == NULL) {
+        WOLFSSL_MSG("ALPN extension not found");
+        *data = NULL;
+        *dataSz = 0;
+        return SSL_FATAL_ERROR;
+    }
+
+    if (alpn->negociated != 1) {
+
+        /* consider as an error */
+        if (alpn->options & WOLFSSL_ALPN_FAILED_ON_MISMATCH) {
+            WOLFSSL_MSG("No protocol match with peer -> Failed");
+            return SSL_FATAL_ERROR;
+        }
+
+        /* continue without negociated protocol */
+        WOLFSSL_MSG("No protocol match with peer -> Continue");
+        return SSL_ALPN_NOT_FOUND;
+    }
+
+    if (alpn->next != NULL) {
+        WOLFSSL_MSG("Only one protocol name must be accepted");
+        return SSL_FATAL_ERROR;
+    }
+
+    *data = alpn->protocol_name;
+    *dataSz = (word16)XSTRLEN(*data);
+
+    return SSL_SUCCESS;
+}
+
+#define ALPN_FREE_ALL     TLSX_ALPN_FreeAll
+#define ALPN_GET_SIZE     TLSX_ALPN_GetSize
+#define ALPN_WRITE        TLSX_ALPN_Write
+#define ALPN_PARSE        TLSX_ALPN_ParseAndSet
+
+#else /* HAVE_ALPN */
+
+#define ALPN_FREE_ALL(list)
+#define ALPN_GET_SIZE(list)     0
+#define ALPN_WRITE(a, b)        0
+#define ALPN_PARSE(a, b, c, d)  0
+
+#endif /* HAVE_ALPN */
+
 /* Server Name Indication */
 #ifdef HAVE_SNI
 
@@ -2712,6 +3033,10 @@ void TLSX_FreeAll(TLSX* list)
             case WOLFSSL_QSH:
                 QSH_FREE_ALL(extension->data);
                 break;
+
+            case WOLFSSL_ALPN:
+                ALPN_FREE_ALL((ALPN*)extension->data);
+                break;
         }
 
         XFREE(extension, 0, DYNAMIC_TYPE_TLSX);
@@ -2775,6 +3100,11 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
             case WOLFSSL_QSH:
                 length += QSH_GET_SIZE(extension->data, isRequest);
                 break;
+
+            case WOLFSSL_ALPN:
+                length += ALPN_GET_SIZE(extension->data);
+                break;
+
         }
 
         /* marks the extension as processed so ctx level */
@@ -2845,6 +3175,10 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
                 offset += QSHPK_WRITE(extension->data, output + offset);
                 offset += QSH_SERREQ(output + offset, isRequest);
                 break;
+
+            case WOLFSSL_ALPN:
+                offset += ALPN_WRITE(extension->data, output + offset);
+                break;
         }
 
         /* writes extension data length. */
@@ -3335,6 +3669,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest,
                 ret = QSH_PARSE(ssl, input + offset, size, isRequest);
                 break;
 
+            case WOLFSSL_ALPN:
+                WOLFSSL_MSG("ALPN extension received");
+
+                ret = ALPN_PARSE(ssl, input + offset, size, isRequest);
+                break;
+
             case HELLO_EXT_SIG_ALGO:
                 if (isRequest) {
                     /* do not mess with offset inside the switch! */
diff --git a/tests/api.c b/tests/api.c
index a34ecebbc..8feb84a39 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -507,8 +507,8 @@ done2:
     return;
 }
 
-/* SNI helper functions */
-#ifdef HAVE_SNI
+/* SNI / ALPN helper functions */
+#if defined(HAVE_SNI) || defined(HAVE_ALPN)
 
 static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args)
 {
@@ -685,7 +685,7 @@ static void run_wolfssl_client(void* args)
 #endif
 }
 
-#endif /* HAVE_SNI */
+#endif /* defined(HAVE_SNI) || defined(HAVE_ALPN) */
 #endif /* io tests dependencies */
 
 
@@ -747,6 +747,51 @@ static void test_wolfSSL_read_write(void)
  | TLS extensions tests
  *----------------------------------------------------------------------------*/
 
+#if defined(HAVE_SNI) || defined(HAVE_ALPN)
+/* connection test runner */
+static void test_wolfSSL_client_server(callback_functions* client_callbacks,
+                                       callback_functions* server_callbacks)
+{
+#ifdef HAVE_IO_TESTS_DEPENDENCIES
+    tcp_ready ready;
+    func_args client_args;
+    func_args server_args;
+    THREAD_TYPE serverThread;
+
+    StartTCP();
+
+    client_args.callbacks = client_callbacks;
+    server_args.callbacks = server_callbacks;
+
+#ifdef WOLFSSL_TIRTOS
+    fdOpenSession(Task_self());
+#endif
+
+    /* RUN Server side */
+    InitTcpReady(&ready);
+    server_args.signal = &ready;
+    client_args.signal = &ready;
+    start_thread(run_wolfssl_server, &server_args, &serverThread);
+    wait_tcp_ready(&server_args);
+
+    /* RUN Client side */
+    run_wolfssl_client(&client_args);
+    join_thread(serverThread);
+
+    FreeTcpReady(&ready);
+#ifdef WOLFSSL_TIRTOS
+    fdCloseSession(Task_self());
+#endif
+
+#else
+    (void)client_callbacks;
+    (void)server_callbacks;
+#endif
+}
+
+#endif /* defined(HAVE_SNI) || defined(HAVE_ALPN) */
+
+
 #ifdef HAVE_SNI
 static void test_wolfSSL_UseSNI_params(void)
 {
@@ -827,11 +872,6 @@ static void use_PSEUDO_MANDATORY_SNI_at_ctx(WOLFSSL_CTX* ctx)
                  WOLFSSL_SNI_ANSWER_ON_MISMATCH | WOLFSSL_SNI_ABORT_ON_ABSENCE);
 }
 
-static void verify_FATAL_ERROR_on_client(WOLFSSL* ssl)
-{
-    AssertIntEQ(FATAL_ERROR, wolfSSL_get_error(ssl, 0));
-}
-
 static void verify_UNKNOWN_SNI_on_server(WOLFSSL* ssl)
 {
     AssertIntEQ(UNKNOWN_SNI_HOST_NAME_E, wolfSSL_get_error(ssl, 0));
@@ -874,48 +914,12 @@ static void verify_SNI_fake_matching(WOLFSSL* ssl)
     AssertNotNull(request);
     AssertStrEQ("ww2.wolfssl.com", request);
 }
-/* END of connection tests callbacks */
 
-/* connection test runner */
-static void test_wolfSSL_client_server(callback_functions* client_callbacks,
-                                      callback_functions* server_callbacks)
+static void verify_FATAL_ERROR_on_client(WOLFSSL* ssl)
 {
-#ifdef HAVE_IO_TESTS_DEPENDENCIES
-    tcp_ready ready;
-    func_args client_args;
-    func_args server_args;
-    THREAD_TYPE serverThread;
-
-    StartTCP();
-
-    client_args.callbacks = client_callbacks;
-    server_args.callbacks = server_callbacks;
-
-#ifdef WOLFSSL_TIRTOS
-    fdOpenSession(Task_self());
-#endif
-
-    /* RUN Server side */
-    InitTcpReady(&ready);
-    server_args.signal = &ready;
-    client_args.signal = &ready;
-    start_thread(run_wolfssl_server, &server_args, &serverThread);
-    wait_tcp_ready(&server_args);
-
-    /* RUN Client side */
-    run_wolfssl_client(&client_args);
-    join_thread(serverThread);
-
-    FreeTcpReady(&ready);
-#ifdef WOLFSSL_TIRTOS
-    fdCloseSession(Task_self());
-#endif
-
-#else
-    (void)client_callbacks;
-    (void)server_callbacks;
-#endif
+    AssertIntEQ(FATAL_ERROR, wolfSSL_get_error(ssl, 0));
 }
+/* END of connection tests callbacks */
 
 static void test_wolfSSL_UseSNI_connection(void)
 {
@@ -1197,6 +1201,240 @@ static void test_wolfSSL_UseSupportedCurve(void)
 #endif
 }
 
+#ifdef HAVE_ALPN
+
+static void verify_ALPN_FATAL_ERROR_on_client(WOLFSSL* ssl)
+{
+    AssertIntEQ(UNKNOWN_ALPN_PROTOCOL_NAME_E, wolfSSL_get_error(ssl, 0));
+}
+
+static void use_ALPN_all(WOLFSSL* ssl)
+{
+    /* http/1.1,spdy/1,spdy/2,spdy/3 */
+    char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c,
+                        0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c,
+                        0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c,
+                        0x73, 0x70, 0x64, 0x79, 0x2f, 0x33};
+    AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, alpn_list, sizeof(alpn_list),
+                                             WOLFSSL_ALPN_FAILED_ON_MISMATCH));
+}
+
+static void use_ALPN_all_continue(WOLFSSL* ssl)
+{
+    /* http/1.1,spdy/1,spdy/2,spdy/3 */
+    char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c,
+        0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c,
+        0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c,
+        0x73, 0x70, 0x64, 0x79, 0x2f, 0x33};
+    AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, alpn_list, sizeof(alpn_list),
+                                             WOLFSSL_ALPN_CONTINUE_ON_MISMATCH));
+}
+
+static void use_ALPN_one(WOLFSSL* ssl)
+{
+    /* spdy/2 */
+    char proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32};
+
+    AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto),
+                                             WOLFSSL_ALPN_FAILED_ON_MISMATCH));
+}
+
+static void use_ALPN_unknown(WOLFSSL* ssl)
+{
+    /* http/2.0 */
+    char proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x32, 0x2e, 0x30};
+
+    AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto),
+                                             WOLFSSL_ALPN_FAILED_ON_MISMATCH));
+}
+
+static void use_ALPN_unknown_continue(WOLFSSL* ssl)
+{
+    /* http/2.0 */
+    char proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x32, 0x2e, 0x30};
+
+    AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto),
+                                             WOLFSSL_ALPN_CONTINUE_ON_MISMATCH));
+}
+
+static void verify_ALPN_not_matching_spdy3(WOLFSSL* ssl)
+{
+    /* spdy/3 */
+    char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33};
+
+    char *proto;
+    word16 protoSz = 0;
+
+    AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz));
+
+    /* check value */
+    AssertIntNE(1, sizeof(nego_proto) == protoSz);
+    AssertIntNE(0, XMEMCMP(nego_proto, proto, sizeof(nego_proto)));
+}
+
+static void verify_ALPN_not_matching_continue(WOLFSSL* ssl)
+{
+    char *proto = NULL;
+    word16 protoSz = 0;
+
+    AssertIntEQ(SSL_ALPN_NOT_FOUND,
+                wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz));
+
+    /* check value */
+    AssertIntEQ(1, 0 == protoSz);
+    AssertIntEQ(1, NULL == proto);
+}
+
+static void verify_ALPN_matching_http1(WOLFSSL* ssl)
+{
+    /* http/1.1 */
+    char nego_proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31};
+    char *proto;
+    word16 protoSz = 0;
+
+    AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz));
+
+    /* check value */
+    AssertIntEQ(1, sizeof(nego_proto) == protoSz);
+    AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz));
+}
+
+static void verify_ALPN_matching_spdy2(WOLFSSL* ssl)
+{
+    /* spdy/2 */
+    char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32};
+    char *proto;
+    word16 protoSz = 0;
+
+    AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz));
+
+    /* check value */
+    AssertIntEQ(1, sizeof(nego_proto) == protoSz);
+    AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz));
+}
+
+static void test_wolfSSL_UseALPN_connection(void)
+{
+    unsigned long i;
+    callback_functions callbacks[] = {
+        /* success case same list */
+        {0, 0, use_ALPN_all, 0},
+        {0, 0, use_ALPN_all, verify_ALPN_matching_http1},
+
+        /* success case only one for server */
+        {0, 0, use_ALPN_all, 0},
+        {0, 0, use_ALPN_one, verify_ALPN_matching_spdy2},
+
+        /* success case only one for client */
+        {0, 0, use_ALPN_one, 0},
+        {0, 0, use_ALPN_all, verify_ALPN_matching_spdy2},
+
+        /* success case none for client */
+        {0, 0, 0, 0},
+        {0, 0, use_ALPN_all, 0},
+
+        /* success case missmatch behavior but option 'continue' set */
+        {0, 0, use_ALPN_all_continue, verify_ALPN_not_matching_continue},
+        {0, 0, use_ALPN_unknown_continue, 0},
+
+        /* missmatch behavior with same list
+         * the first and only this one must be taken */
+        {0, 0, use_ALPN_all, 0},
+        {0, 0, use_ALPN_all, verify_ALPN_not_matching_spdy3},
+
+        /* default missmatch behavior */
+        {0, 0, use_ALPN_all, 0},
+        {0, 0, use_ALPN_unknown, verify_ALPN_FATAL_ERROR_on_client},
+    };
+
+    for (i = 0; i < sizeof(callbacks) / sizeof(callback_functions); i += 2) {
+        callbacks[i    ].method = wolfSSLv23_client_method;
+        callbacks[i + 1].method = wolfSSLv23_server_method;
+        test_wolfSSL_client_server(&callbacks[i], &callbacks[i + 1]);
+    }
+}
+
+static void test_wolfSSL_UseALPN_params(void)
+{
+    /* "http/1.1" */
+    char http1[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31};
+    /* "spdy/1" */
+    char spdy1[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x31};
+    /* "spdy/2" */
+    char spdy2[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32};
+    /* "spdy/3" */
+    char spdy3[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33};
+    char buff[256];
+    word32 idx;
+
+    WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
+    WOLFSSL     *ssl = wolfSSL_new(ctx);
+
+    AssertNotNull(ctx);
+    AssertNotNull(ssl);
+
+    /* error cases */
+    AssertIntNE(SSL_SUCCESS,
+                wolfSSL_UseALPN(NULL, http1, sizeof(http1),
+                                WOLFSSL_ALPN_FAILED_ON_MISMATCH));
+    AssertIntNE(SSL_SUCCESS, wolfSSL_UseALPN(ssl, NULL, 0,
+                                             WOLFSSL_ALPN_FAILED_ON_MISMATCH));
+
+    /* success case */
+    /* http1 only */
+    AssertIntEQ(SSL_SUCCESS,
+                wolfSSL_UseALPN(ssl, http1, sizeof(http1),
+                                WOLFSSL_ALPN_FAILED_ON_MISMATCH));
+
+    /* http1, spdy1 */
+    memcpy(buff, http1, sizeof(http1));
+    idx = sizeof(http1);
+    buff[idx++] = ',';
+    memcpy(buff+idx, spdy1, sizeof(spdy1));
+    idx += sizeof(spdy1);
+    AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx,
+                                             WOLFSSL_ALPN_FAILED_ON_MISMATCH));
+
+    /* http1, spdy2, spdy1 */
+    memcpy(buff, http1, sizeof(http1));
+    idx = sizeof(http1);
+    buff[idx++] = ',';
+    memcpy(buff+idx, spdy2, sizeof(spdy2));
+    idx += sizeof(spdy2);
+    buff[idx++] = ',';
+    memcpy(buff+idx, spdy1, sizeof(spdy1));
+    idx += sizeof(spdy1);
+    AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx,
+                                             WOLFSSL_ALPN_FAILED_ON_MISMATCH));
+
+    /* spdy3, http1, spdy2, spdy1 */
+    memcpy(buff, spdy3, sizeof(spdy3));
+    idx = sizeof(spdy3);
+    buff[idx++] = ',';
+    memcpy(buff+idx, http1, sizeof(http1));
+    idx += sizeof(http1);
+    buff[idx++] = ',';
+    memcpy(buff+idx, spdy2, sizeof(spdy2));
+    idx += sizeof(spdy2);
+    buff[idx++] = ',';
+    memcpy(buff+idx, spdy1, sizeof(spdy1));
+    idx += sizeof(spdy1);
+    AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx,
+                                             WOLFSSL_ALPN_CONTINUE_ON_MISMATCH));
+
+    wolfSSL_free(ssl);
+    wolfSSL_CTX_free(ctx);
+}
+#endif /* HAVE_ALPN  */
+
+static void test_wolfSSL_UseALPN(void)
+{
+#ifdef HAVE_ALPN
+    test_wolfSSL_UseALPN_connection();
+    test_wolfSSL_UseALPN_params();
+#endif
+}
+
 /*----------------------------------------------------------------------------*
  | Main
  *----------------------------------------------------------------------------*/
@@ -1220,6 +1458,7 @@ void ApiTest(void)
     test_wolfSSL_UseMaxFragment();
     test_wolfSSL_UseTruncatedHMAC();
     test_wolfSSL_UseSupportedCurve();
+    test_wolfSSL_UseALPN();
 
     test_wolfSSL_Cleanup();
     printf(" End API Tests\n");
diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h
index c3ff047fc..f07796079 100644
--- a/wolfssl/error-ssl.h
+++ b/wolfssl/error-ssl.h
@@ -138,6 +138,8 @@ enum wolfSSL_ErrorCodes {
     RSA_SIGN_FAULT          = -403,        /* RSA Sign fault */
     HANDSHAKE_SIZE_ERROR    = -404,        /* Handshake message too large */
 
+    UNKNOWN_ALPN_PROTOCOL_NAME_E = -405,   /* Unrecognized protocol name Error*/
+
     /* add strings to SetErrorString !!!!! */
 
     /* begin negotiation parameter errors */
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 85afad61c..ec3a763a8 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1466,7 +1466,8 @@ typedef enum {
     ELLIPTIC_CURVES        = 0x000a,
     SESSION_TICKET         = 0x0023,
     SECURE_RENEGOTIATION   = 0xff01,
-    WOLFSSL_QSH            = 0x0018  /* Quantum-Safe-Hybrid */
+    WOLFSSL_QSH            = 0x0018, /* Quantum-Safe-Hybrid */
+    WOLFSSL_ALPN           = 0x0010  /* Application-Layer Protocol Name */
 } TLSX_Type;
 
 typedef struct TLSX {
@@ -1499,7 +1500,8 @@ WOLFSSL_LOCAL int    TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length,
    || defined(HAVE_TRUNCATED_HMAC)       \
    || defined(HAVE_SUPPORTED_CURVES)     \
    || defined(HAVE_SECURE_RENEGOTIATION) \
-   || defined(HAVE_SESSION_TICKET)
+   || defined(HAVE_SESSION_TICKET) \
+   || defined(HAVE_ALPN)
 
 #error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined.
 
@@ -1533,6 +1535,24 @@ WOLFSSL_LOCAL int    TLSX_SNI_GetFromBuffer(const byte* buffer, word32 bufferSz,
 
 #endif /* HAVE_SNI */
 
+/* Application-layer Protocol Name */
+#ifdef HAVE_ALPN
+typedef struct ALPN {
+    char*        protocol_name; /* ALPN protocol name */
+    struct ALPN* next;          /* List Behavior      */
+    byte         options;       /* Behaviour options */
+    byte         negociated;    /* ALPN protocol negociated or not */
+} ALPN;
+
+WOLFSSL_LOCAL int TLSX_ALPN_GetRequest(TLSX* extensions,
+                                       void** data, word16 *dataSz);
+
+WOLFSSL_LOCAL int TLSX_UseALPN(TLSX** extensions, const void* data,
+                               word16 size, byte options);
+
+WOLFSSL_LOCAL int TLSX_ALPN_SetOptions(TLSX** extensions, const byte option);
+#endif /* HAVE_ALPN */
+
 /* Maximum Fragment Length */
 #ifdef HAVE_MAX_FRAGMENT
 
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 19a7b2cf5..b1a890e36 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -187,7 +187,8 @@ enum AlertDescription {
     protocol_version        = 70,
     #endif
     no_renegotiation        = 100,
-    unrecognized_name       = 112
+    unrecognized_name       = 112,
+    no_application_protocol = 120
 };
 
 
@@ -673,6 +674,7 @@ enum { /* ssl Constants */
     SSL_SUCCESS         =  1,
     SSL_SHUTDOWN_NOT_DONE =  2,  /* call wolfSSL_shutdown again to complete */
 
+    SSL_ALPN_NOT_FOUND  = -9,
     SSL_BAD_CERTTYPE    = -8,
     SSL_BAD_STAT        = -7,
     SSL_BAD_PATH        = -6,
@@ -1347,6 +1349,31 @@ WOLFSSL_API int wolfSSL_SNI_GetFromBuffer(
 #endif
 #endif
 
+/* Application-Layer Protocol Name */
+#ifdef HAVE_ALPN
+
+/* ALPN status code */
+enum {
+    WOLFSSL_ALPN_NO_MATCH = 0,
+    WOLFSSL_ALPN_MATCH    = 1,
+    WOLFSSL_ALPN_CONTINUE_ON_MISMATCH = 2,
+    WOLFSSL_ALPN_FAILED_ON_MISMATCH = 4,
+};
+
+enum {
+    WOLFSSL_MAX_ALPN_PROTO_NAME_LEN = 255,
+    WOLFSSL_MAX_ALPN_NUMBER = 257
+};
+
+WOLFSSL_API int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list,
+                                unsigned int protocol_name_listSz,
+                                unsigned char options);
+
+WOLFSSL_API int wolfSSL_ALPN_GetProtocol(WOLFSSL* ssl, char **protocol_name,
+                                         unsigned short *size);
+
+#endif /* HAVE_ALPN */
+
 /* Maximum Fragment Length */
 #ifdef HAVE_MAX_FRAGMENT
 
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
index 55969ee23..d97636e0a 100644
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -216,7 +216,7 @@
 	        #define XSTRNCASECMP(s1,s2,n) _strnicmp((s1),(s2),(n))
 	    #endif
 
-        #ifdef WOLFSSL_CERT_EXT
+        #if defined(WOLFSSL_CERT_EXT) || defined(HAVE_ALPN)
             /* use only Thread Safe version of strtok */
             #ifndef USE_WINDOWS_API
                 #define XSTRTOK strtok_r