diff --git a/libmproxy/protocol2/http.py b/libmproxy/protocol2/http.py
index 649e7843e..e3878fa6f 100644
--- a/libmproxy/protocol2/http.py
+++ b/libmproxy/protocol2/http.py
@@ -279,7 +279,7 @@ class HttpLayer(Layer):
                 if isinstance(e, ProtocolException):
                     raise e
                 else:
-                    raise ProtocolException(repr(e), e)
+                    raise ProtocolException("Error in HTTP connection: %s" % repr(e), e)
             finally:
                 flow.live = False
 
diff --git a/libmproxy/protocol2/tls.py b/libmproxy/protocol2/tls.py
index 96ee643f4..ce684eb9c 100644
--- a/libmproxy/protocol2/tls.py
+++ b/libmproxy/protocol2/tls.py
@@ -153,7 +153,7 @@ class TlsLayer(Layer):
                 alpn_select_callback=self.__alpn_select_callback,
             )
         except tcp.NetLibError as e:
-            raise ProtocolException(repr(e), e)
+            raise ProtocolException("Cannot establish TLS with client: %s" % repr(e), e)
 
     def _establish_tls_with_server(self):
         self.log("Establish TLS with server", "debug")
@@ -189,9 +189,9 @@ class TlsLayer(Layer):
                 (tls_cert_err['depth'], tls_cert_err['errno']),
                 "error")
             self.log("Aborting connection attempt", "error")
-            raise ProtocolException(repr(e), e)
+            raise ProtocolException("Cannot establish TLS with server: %s" % repr(e), e)
         except tcp.NetLibError as e:
-            raise ProtocolException(repr(e), e)
+            raise ProtocolException("Cannot establish TLS with server: %s" % repr(e), e)
 
         self.log("ALPN selected by server: %s" % self.alpn_for_client_connection, "debug")
 
diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index ec91a6e0f..4ca15747a 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -14,6 +14,9 @@ TRANSPARENT_SSL_PORTS = [443, 8443]
 CONF_BASENAME = "mitmproxy"
 CA_DIR = "~/.mitmproxy"
 
+# We manually need to specify this, otherwise OpenSSL may select a non-HTTP2 cipher by default.
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.2.15&openssl=1.0.2&hsts=yes&profile=old
+DEFAULT_CLIENT_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
 
 class HostMatcher(object):
     def __init__(self, patterns=[]):
@@ -241,7 +244,7 @@ def ssl_option_group(parser):
         'Can be passed multiple times.')
     group.add_argument(
         "--ciphers-client", action="store",
-        type=str, dest="ciphers_client", default=None,
+        type=str, dest="ciphers_client", default=DEFAULT_CLIENT_CIPHERS,
         help="Set supported ciphers for client connections. (OpenSSL Syntax)"
     )
     group.add_argument(