--- a/src/java.net.http/share/classes/jdk/internal/net/http/AbstractAsyncSSLConnection.java	Tue Jul 03 11:23:42 2018 +0200
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/AbstractAsyncSSLConnection.java	Tue Jul 03 14:12:49 2018 +0100
@@ -27,6 +27,7 @@
 
 import java.net.InetSocketAddress;
 import java.util.Arrays;
+import java.util.ArrayDeque;
 import java.util.List;
 import java.util.concurrent.CompletableFuture;
 import javax.net.ssl.SNIHostName;
@@ -89,11 +90,30 @@
 
     final SSLEngine getEngine() { return engine; }
 
+    private static boolean contains(String[] rr, String target) {
+        for (String s : rr)
+            if (target.equalsIgnoreCase(s))
+                return true;
+        return false;
+    }
+
     private static SSLParameters createSSLParameters(HttpClientImpl client,
                                                      ServerName serverName,
                                                      String[] alpn) {
         SSLParameters sslp = client.sslParameters();
         SSLParameters sslParameters = Utils.copySSLParameters(sslp);
+        // filter out unwanted protocols, if h2 only
+        if (alpn != null && alpn.length != 0 && !contains(alpn, "http/1.1")) {
+            ArrayDeque<String> l = new ArrayDeque<>();
+            for (String proto : sslParameters.getProtocols()) {
+                if (!proto.startsWith("SSL") && !proto.endsWith("v1.1") && !proto.endsWith("v1")) {
+                    l.add(proto);
+                }
+            }
+            String[] a1 = l.toArray(new String[0]);
+            sslParameters.setProtocols(a1);
+        }
+
         if (!disableHostnameVerification)
             sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
         if (alpn != null) {
@@ -112,10 +132,12 @@
         return sslParameters;
     }
 
+
     private static SSLEngine createEngine(SSLContext context, String serverName, int port,
                                           SSLParameters sslParameters) {
         SSLEngine engine = context.createSSLEngine(serverName, port);
         engine.setUseClientMode(true);
+
         engine.setSSLParameters(sslParameters);
         return engine;
     }

--- a/src/java.net.http/share/classes/jdk/internal/net/http/HttpClientImpl.java	Tue Jul 03 11:23:42 2018 +0200
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/HttpClientImpl.java	Tue Jul 03 14:12:49 2018 +0100
@@ -329,7 +329,18 @@
 
     private static SSLParameters getDefaultParams(SSLContext ctx) {
         SSLParameters params = ctx.getSupportedSSLParameters();
-        params.setProtocols(new String[]{"TLSv1.2"});
+        String[] protocols = params.getProtocols();
+        boolean found13 = false;
+        for (String proto : protocols) {
+            if (proto.equals("TLSv1.3")) {
+                found13 = true;
+                break;
+            }
+        }
+        if (found13)
+            params.setProtocols(new String[] {"TLSv1.3", "TLSv1.2"});
+        else
+            params.setProtocols(new String[] {"TLSv1.2"});
         return params;
     }
 

--- a/test/jdk/java/net/httpclient/http2/FixedThreadPoolTest.java	Tue Jul 03 11:23:42 2018 +0200
+++ b/test/jdk/java/net/httpclient/http2/FixedThreadPoolTest.java	Tue Jul 03 14:12:49 2018 +0100
@@ -177,13 +177,24 @@
         System.err.println("DONE");
     }
 
+    // expect highest supported version we know about
+    static String expectedTLSVersion(SSLContext ctx) {
+        SSLParameters params = ctx.getSupportedSSLParameters();
+        String[] protocols = params.getProtocols();
+        for (String prot : protocols) {
+            if (prot.equals("TLSv1.3"))
+                return "TLSv1.3";
+        }
+        return "TLSv1.2";
+    }
+
     static void paramsTest() throws Exception {
         System.err.println("paramsTest");
         Http2TestServer server = new Http2TestServer(true, 0, exec, sslContext);
         server.addHandler((t -> {
             SSLSession s = t.getSSLSession();
             String prot = s.getProtocol();
-            if (prot.equals("TLSv1.2")) {
+            if (prot.equals(expectedTLSVersion(sslContext))) {
                 t.sendResponseHeaders(200, -1);
             } else {
                 System.err.printf("Protocols =%s\n", prot);

--- a/test/jdk/java/net/httpclient/http2/TLSConnection.java	Tue Jul 03 11:23:42 2018 +0200
+++ b/test/jdk/java/net/httpclient/http2/TLSConnection.java	Tue Jul 03 14:12:49 2018 +0100
@@ -32,6 +32,7 @@
 import java.net.http.HttpRequest;
 import java.net.http.HttpRequest.BodyPublishers;
 import java.net.http.HttpResponse.BodyHandlers;
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
 
@@ -57,6 +58,19 @@
 
     private static final SSLParameters USE_DEFAULT_SSL_PARAMETERS = new SSLParameters();
 
+    // expect highest supported version we know about
+    static String expectedTLSVersion(SSLContext ctx) throws Exception {
+        if (ctx == null)
+            ctx = SSLContext.getDefault();
+        SSLParameters params = ctx.getSupportedSSLParameters();
+        String[] protocols = params.getProtocols();
+        for (String prot : protocols) {
+            if (prot.equals("TLSv1.3"))
+                return "TLSv1.3";
+        }
+        return "TLSv1.2";
+    }
+
     public static void main(String[] args) throws Exception {
         // re-enable 3DES
         Security.setProperty("jdk.tls.disabledAlgorithms", "");
@@ -92,7 +106,7 @@
                     "---\nTest #2: default SSL parameters, "
                             + "expect successful connection",
                     () -> connect(uriString, USE_DEFAULT_SSL_PARAMETERS));
-            success &= checkProtocol(handler.getSSLSession(), "TLSv1.2");
+            success &= checkProtocol(handler.getSSLSession(), expectedTLSVersion(null));
 
             // set SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA cipher suite
             // which has less priority in default cipher suite list