diff --git a/caddy/setup/tls.go b/caddy/setup/tls.go
index 5b6c086e9..cf45278ca 100644
--- a/caddy/setup/tls.go
+++ b/caddy/setup/tls.go
@@ -95,7 +95,8 @@ func SetDefaultTLSParams(c *server.Config) {
 	}
 
 	// Not a cipher suite, but still important for mitigating protocol downgrade attacks
-	c.TLS.Ciphers = append(c.TLS.Ciphers, tls.TLS_FALLBACK_SCSV)
+	// (prepend since having it at end breaks http2 due to non-h2-approved suites before it)
+	c.TLS.Ciphers = append([]uint16{tls.TLS_FALLBACK_SCSV}, c.TLS.Ciphers...)
 
 	// Set default protocol min and max versions - must balance compatibility and security
 	if c.TLS.ProtocolMinVersion == 0 {
diff --git a/server/server.go b/server/server.go
index 4fe12b369..5794c167d 100644
--- a/server/server.go
+++ b/server/server.go
@@ -15,8 +15,6 @@ import (
 	"runtime"
 	"sync"
 	"time"
-
-	"golang.org/x/net/http2"
 )
 
 // Server represents an instance of a server, which serves
@@ -179,9 +177,8 @@ func (s *Server) serve(ln ListenerFile) error {
 // called just before the listener announces itself on the network
 // and should only be called when the server is just starting up.
 func (s *Server) setup() error {
-	if s.HTTP2 {
-		// TODO: This call may not be necessary after HTTP/2 is merged into std lib
-		http2.ConfigureServer(s.Server, nil)
+	if !s.HTTP2 {
+		s.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler))
 	}
 
 	// Execute startup functions now
@@ -206,9 +203,6 @@ func (s *Server) setup() error {
 // client authentication, and our custom Server type.
 func serveTLSWithSNI(s *Server, ln net.Listener, tlsConfigs []TLSConfig) error {
 	config := cloneTLSConfig(s.TLSConfig)
-	if config.NextProtos == nil {
-		config.NextProtos = []string{"http/1.1"}
-	}
 
 	// Here we diverge from the stdlib a bit by loading multiple certs/key pairs
 	// then we map the server names to their certs
@@ -236,6 +230,7 @@ func serveTLSWithSNI(s *Server, ln net.Listener, tlsConfigs []TLSConfig) error {
 		defer close(s.startChan)
 		return err
 	}
+	s.TLSConfig = config
 
 	// Create TLS listener - note that we do not replace s.listener
 	// with this TLS listener; tls.listener is unexported and does