Firefox 38 offers these cipher suites when trying to connect via HTTP/2 ALPN:

[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]

Sadly OpenJDK 8, which is part of Fedora 22 doesn’t support ECC, so all ECDHE key exchange algorithms are not available :-(

Besides that Firefox 38 also checks some addtional constrains for the TLS connection:

– Key Exchange Algorithm (KEA) must be DHE or ECDHE

– DHE key size must be 2048 bits, ECDHE key size must be 256 bits

– Cipher suites must support AEAD, e.g. AES GCM

(see Http2Session::ConfirmTLSProfile() in mozilla-central/netwerk/protocol/http/Http2Session.cpp )

Misc. tips:

– DHE key size can be set with System property jdk.tls.ephemeralDHKeySize=2048

– TLS connection can be

But these are only available with ECDHE (firefox seems to offer these cipher suites:

Sadly the OpenJDK 8 in Fedora 22 doesn’t contain ECC support :-(

See also https://bugzilla.redhat.com/show_bug.cgi?id=1019554 and https://bugs.eclipse.org/bugs/show_bug.cgi?id=468106#c12

So to get HTTP/2 with Jetty on Fedora 22 you must use the Oracle JDK 8 for now!