NodePort Service for http/2 with TLS backend does not work

Question

I have a backend app which implements RESTful APIs over http/2. My requirement is to expose the backend service to the host network and I do it using NodePort.

apiVersion: v1
kind: Service
metadata:
  name: gold-service
spec:
  selector:
    app: gold-app
  ports:
  - name: gold-port
    port: 12349
    nodePort: 32349
  type: NodePort

When the app runs without TLS, the service is accessible as expected from outside the cluster. However, when the app runs with TLS, the service is no longer accessible. I observe from packet capture that the TLS handshake begins but does not conclude successfully.

$ curl https://10.225.68.106:32349/api/v1/config -kv --cert <cert file> --key <key file>
* About to connect() to 10.225.68.106 port 32349 (#0)
*   Trying 10.225.68.106...
* Connected to 10.225.68.106 (10.225.68.106) port 32349 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
*       subject: ...
*       start date: Mar 29 07:10:42 2018 GMT
*       expire date: Mar 26 07:10:42 2028 GMT
*       common name: ...
*       issuer: ...
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file

I have gone through the discussion here. Is Ingress the only solution? Furthermore, I am curious to know how and why NodePort is not able to handle http/2 TLS traffic.