diff --git a/lib/auth/transport_credentials_test.go b/lib/auth/transport_credentials_test.go
index 732cfc2436b16..c0a4519d51dcb 100644
--- a/lib/auth/transport_credentials_test.go
+++ b/lib/auth/transport_credentials_test.go
@@ -287,7 +287,11 @@ func TestTransportCredentials_ServerHandshake(t *testing.T) {
 			require.NoError(t, err)
 			t.Cleanup(func() { require.NoError(t, conn.Close()) })
 
-			// this would be done by the grpc TransportCredential in the client
+			// this would be done by the grpc TransportCredential in the grpc
+			// client, but we're going to fake it with just a tls.Client, so we
+			// have to add the http2 next proto ourselves (enforced by grpc-go
+			// starting from v1.67, and required by the http2 spec when speaking
+			// http2 in TLS)
 			clientTLSConf := test.clientTLSConf
 			if !slices.Contains(clientTLSConf.NextProtos, "h2") {
 				clientTLSConf = clientTLSConf.Clone()
diff --git a/lib/teleterm/grpccredentials.go b/lib/teleterm/grpccredentials.go
index 75e6e44266259..f0c7c7562927f 100644
--- a/lib/teleterm/grpccredentials.go
+++ b/lib/teleterm/grpccredentials.go
@@ -118,7 +118,6 @@ func createClientTLSConfig(clientKeyPair tls.Certificate, serverCertPath string)
 
 	return &tls.Config{
 		Certificates: []tls.Certificate{clientKeyPair},
-		NextProtos:   []string{"h2"},
 		RootCAs:      certPool,
 	}, nil
 }
diff --git a/lib/teleterm/teleterm_test.go b/lib/teleterm/teleterm_test.go
index 854273d71c683..bf7b2f6a2e548 100644
--- a/lib/teleterm/teleterm_test.go
+++ b/lib/teleterm/teleterm_test.go
@@ -27,6 +27,7 @@ import (
 	"net"
 	"os"
 	"path/filepath"
+	"slices"
 	"testing"
 	"time"
 
@@ -226,5 +227,13 @@ func createValidClientTLSConfig(t *testing.T, certsDir string) *tls.Config {
 	tlsConfig, err := createClientTLSConfig(clientCert, serverCertPath)
 	require.NoError(t, err)
 
+	// this would be done by the grpc TransportCredential in the grpc client,
+	// but we're going to fake it with just a tls.Client, so we have to add the
+	// http2 next proto ourselves (enforced by grpc-go starting from v1.67, and
+	// required by the http2 spec when speaking http2 in TLS)
+	if !slices.Contains(tlsConfig.NextProtos, "h2") {
+		tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2")
+	}
+
 	return tlsConfig
 }