I so far did not use “h2-lwt”, but you can always decide to pass in your custom subset of ciphersuites to use for TLS connections on constructing the client (see https://mirleft.github.io/ocaml-tls/doc/tls/Tls/Config/index.html#val-client), a list of ciphersuites (polyvars) is available at https://mirleft.github.io/ocaml-tls/doc/tls/Tls/Ciphersuite/index.html#type-ciphersuite
From the list posted by @anmonteiro, it looks to me you’d like to avoid the non-foward secure ones, maybe using https://mirleft.github.io/ocaml-tls/doc/tls/Tls/Config/Ciphers/index.html#val-fs is sufficient? (i.e. let client = Tls.Config.client ~ciphers:Tls.Config.Ciphers.fs () in ...) Do you have some example code and a remote host to test with available? May be worth to implement a val Tls.Config.Ciphers.http2 : Tls.Ciphersuite.ciphersuite list if the above fs is not sufficient (it looks like HTTP2 disallows block cipher mode DHE_RSA_AES_128_CBC_SHA etc.).