According to RFC 7540, an HTTP/2 implementation may treat the negotiation
of a weak cipher suite (i.e. most cipher suites that have ever existed) as
a connection error. I'm skeptical of the way the client is currently
interpreting this part of the RFC: it is preemptively removing all of the
blacklisted cipher suites before the connection has even been negotiated.
Since most endpoints don't actually support HTTP/2, this mainly just makes
it harder to connect to HTTP/1.1 endpoints without setting `FORCE_HTTP_1`.
I'd like to remove the current filtering logic and replace it with logic
that validates the negotiated cipher suite *after* h2 has actually been
negotiated. Any objections?
