I have configured EAP server so it accepts HTTP2 via TLS, is started with OpenSSL libs provided and set openssl.TLS value in /core-service=management/security-realm=ApplicationRealm/server-identity=ssl[protocol] attribute. Then HTTP2 requests from Firefox and Chrome work just fine. But when I setup openssl.TLSv1 protocol attributre value instead, after server reload I get NS_ERROR_NET_INADEQUATE_SECURITY from Firefox and ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY from Chrome.

I think that reason is that server provides h2 protocol in ALPN in server_hello response. This should not be there AFAIK as h2 should be allowed only with TLSv1.2+ as is described here. I think that as client proposed both h2 and http/1.1, server should choose http/1.1 protocol for communication in situation when TLSv1.1 and lower is utilized.

Pcap in attachement (password for server key is 'password').

Note: this is not fixed even when I set 'enabled-protocols' to [TLSv1] only.
Note2: I have also tested with Undertow master (latest commit) and also with latest wildfly-openssl (latest commit).