diff --git a/ChangeLog.md b/ChangeLog.md
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,3 +1,7 @@
+## 3.1.4
+
+* Add an option to disable HTTP2 [#450](https://github.com/yesodweb/wai/pull/450)
+
 ## 3.1.3
 
 * Removing SHA 512 and SHA 384 from supportedCiphers to rescue Safari and golang. [#429](https://github.com/yesodweb/wai/issues/429)
diff --git a/Network/Wai/Handler/WarpTLS.hs b/Network/Wai/Handler/WarpTLS.hs
--- a/Network/Wai/Handler/WarpTLS.hs
+++ b/Network/Wai/Handler/WarpTLS.hs
@@ -35,6 +35,8 @@
     -- * Runner
     , runTLS
     , runTLSSocket
+    , runHTTP2TLS
+    , runHTTP2TLSSocket
     -- * Exception
     , WarpTLSException (..)
     ) where
@@ -42,6 +44,7 @@
 #if __GLASGOW_HASKELL__ < 709
 import Control.Applicative ((<$>))
 #endif
+import Control.Applicative ((<|>))
 import Control.Exception (Exception, throwIO, bracket, finally, handle, fromException, try, IOException, onException, SomeException(..))
 import qualified Control.Exception as E
 import Control.Monad (void)
@@ -57,6 +60,7 @@
 import qualified Network.TLS as TLS
 import qualified Network.TLS.Extra as TLSExtra
 import Network.Wai (Application)
+import Network.Wai.HTTP2 (HTTP2Application)
 import Network.Wai.Handler.Warp
 import Network.Wai.Handler.Warp.Internal
 import System.IO.Error (isEOFError)
@@ -217,21 +221,39 @@
 
 ----------------------------------------------------------------
 
+-- Composition over two arguments at once; used for runHTTP2\*.
+(.:) :: (c -> d) -> (a -> b -> c) -> a -> b -> d
+f .: g = curry $ f . uncurry g
 
 -- | Running 'Application' with 'TLSSettings' and 'Settings'.
 runTLS :: TLSSettings -> Settings -> Application -> IO ()
-runTLS tset set app = withSocketsDo $
+runTLS tset set = runServeTLS tset set . serveDefault
+
+-- | Run an HTTP\/2-aware server with 'TLSSettings' and 'Settings'.
+runHTTP2TLS :: TLSSettings -> Settings -> HTTP2Application -> Application -> IO ()
+runHTTP2TLS tset set = runServeTLS tset set .: serveHTTP2
+
+runServeTLS :: TLSSettings -> Settings -> ServeConnection -> IO ()
+runServeTLS tset set serve = withSocketsDo $
     bracket
         (bindPortTCP (getPort set) (getHost set))
         sClose
-        (\sock -> runTLSSocket tset set sock app)
+        (\sock -> runServeTLSSocket tset set sock serve)
 
 ----------------------------------------------------------------
 
 -- | Running 'Application' with 'TLSSettings' and 'Settings' using
 --   specified 'Socket'.
 runTLSSocket :: TLSSettings -> Settings -> Socket -> Application -> IO ()
-runTLSSocket tlsset@TLSSettings{..} set sock app = do
+runTLSSocket tset set sock = runServeTLSSocket tset set sock . serveDefault
+
+-- | Run an HTTP\/2-aware server with 'TLSSettings' and 'Settings' using
+--   specified 'Socket'.
+runHTTP2TLSSocket :: TLSSettings -> Settings -> Socket -> HTTP2Application -> Application -> IO ()
+runHTTP2TLSSocket tset set sock = runServeTLSSocket tset set sock .: serveHTTP2
+
+runServeTLSSocket :: TLSSettings -> Settings -> Socket -> ServeConnection -> IO ()
+runServeTLSSocket tlsset@TLSSettings{..} set sock serve = do
     credential <- case (certMemory, keyMemory) of
         (Nothing, Nothing) ->
             either error id <$>
@@ -241,11 +263,11 @@
             key <- maybe (S.readFile keyFile) return mkey
             either error return $
               TLS.credentialLoadX509ChainFromMemory cert chainCertsMemory key
-    runTLSSocket' tlsset set credential sock app
+    runServeTLSSocket' tlsset set credential sock serve
 
-runTLSSocket' :: TLSSettings -> Settings -> TLS.Credential -> Socket -> Application -> IO ()
-runTLSSocket' tlsset@TLSSettings{..} set credential sock app =
-    runSettingsConnectionMakerSecure set get app
+runServeTLSSocket' :: TLSSettings -> Settings -> TLS.Credential -> Socket -> ServeConnection -> IO ()
+runServeTLSSocket' tlsset@TLSSettings{..} set credential sock serve =
+    runServeSettingsConnectionMakerSecure set get serve
   where
     get = getter tlsset sock params
     params = TLS.ServerParams {
@@ -258,7 +280,8 @@
       }
     -- Adding alpn to user's tlsServerHooks.
     hooks = tlsServerHooks {
-        TLS.onALPNClientSuggest = Just alpn
+        TLS.onALPNClientSuggest = TLS.onALPNClientSuggest tlsServerHooks <|>
+          (if settingsHTTP2Enabled set then Just alpn else Nothing)
       }
     shared = def {
         TLS.sharedCredentials = TLS.Credentials [credential]
diff --git a/warp-tls.cabal b/warp-tls.cabal
--- a/warp-tls.cabal
+++ b/warp-tls.cabal
@@ -1,5 +1,5 @@
 Name:                warp-tls
-Version:             3.1.3
+Version:             3.1.4
 Synopsis:            HTTP over TLS support for Warp via the TLS package
 License:             MIT
 License-file:        LICENSE
@@ -19,7 +19,7 @@
 Library
   Build-Depends:     base                          >= 4        && < 5
                    , bytestring                    >= 0.9
-                   , wai                           >= 3.0      && < 3.1
+                   , wai                           >= 3.0.4    && < 3.1
                    , warp                          >= 3.1      && < 3.2
                    , data-default-class            >= 0.0.1
                    , tls                           >= 1.3.2
