Nginx

Why doesn't the site work in most browsers after enabling HTTP2?

Hello!

~# nginx -V 
nginx version: nginx/1.9.9
built by gcc 4.9.2 (Debian 4.9.2-10) 
built with OpenSSL 1.0.1k 8 Jan 2015
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-ipv6

I enable http2 support in the server directive on the target site and browsers (chrome, firefox, opera) stop opening it, although the site opens in safari, qupzilla and curl.
It drops out with the following error in chrome:
ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

Previously, nginx 1.9.4 was installed with enabled spdy - everything worked great.
nginx configs did not change after version update (set from off nginx repositories)

~# cat /etc/apt/sources.list.d/nginx.list 
deb http://nginx.org/packages/mainline/debian/ jessie nginx
deb-src http://nginx.org/packages/mainline/debian/ jessie nginx

Included directives in the http block:

ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver XXX.XXX.XXX.XXX;
ssl_trusted_certificate /etc/nginx/ssl/domain-bundle.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!eNULL:!LOW:!ADH:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

Included directives in the server block:

listen 443 ssl http2;
ssl on;
ssl_certificate 	/etc/nginx/ssl/domain-bundle.crt;
ssl_certificate_key 	/etc/nginx/ssl/domain.key;

At the same time, I turn off http2 - everything starts working in all browsers.
Checking at https://www.ssllabs.com/ssltest shows:
Next Protocol Negotiation (NPN) Yes h2 http/1.1
What's the problem then?
PS: the site is behind a software NAT gateway (iptables-rules)