It might be because of the following error:
Firefox 47 / Win 7 R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1
(Source: SSL Server Test: support.wegot.vision (Powered by Qualys SSL Labs))
You can find the blacklisted cipher suits for HTTP2 here: https://http2.github.io/http2-spec/#BadCipherSuites
The list of cipher suits provided by my Firefox (45):
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) Forward Secrecy 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
Cross-reference that with the list of cipher suits your server offers from the page I linked to above. You'll see the first possible cipher suite of your server which is listed in the clients supported cipher suits is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014). And that suite is blacklisted.
Possible options:
- Fix your servers cipher suites. The list of cipher suites now currently used is like.. Ancient? An usefull method is using the Mozilla SSL Configuration Generator.
- Disable HTTP2. But that won't change the fact you're using ancient cipher suites and possibly not getting the optimal encryption.