net/http: ListenAndServeTLS closing connection to IE10 and IE11 when only TLSv1.0 is permitted #17285
Labels
Comments
Are you using HTTP/2? If so, HTTP/2 requires TLS 1.2 (http://httpwg.org/specs/rfc7540.html#rfc.section.9.2). The only thing I can think of is that you're getting into the HTTP/2 path and it's rejecting it there. But please collect more logs. What does Go say? Any error logs reported? |
@bradfitz yes we're using HTTP/2, but we haven't done anything to disable HTTP/1.1, and it works when only TLS1.1 is enabled instead of TLS 1.0. I'm picking this up from the logs
|
Oh, this is a dup of #3930 and #3677. Sorry, this isn't going to be fixed. See decision in https://golang.org/cl/20094 and #3930 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What version of Go are you using (
go version
)?go version go1.7.1 linux/amd64
This also occurred on go1.6.1.
What operating system and processor architecture are you using (
go env
)?GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/kevin/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build495107859=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
What did you do?
A Go executable serving on port 443 using
We haven't made any specific TLS changes.
What did you expect to see?
When making a HTTPS request to the running server it should have responded with the 200 OK response.
What did you see instead?
When connecting from a Windows machine with SSL 2.0, SSL 3.0 and TLS 1.0 enabled as follows -

IE10+ fails to connect to the server over HTTPS

I've noticed that Caddy-based servers have the same problem. TLS1.0 shows as enabled when analyzing our SSL config through ssllabs.com
It's just this one config set that seems to have a problem connecting to Go's HTTP stack (it has no problem connecting to an equivalently configured nginx instance for example, over TLS1.0).
(Yes it's crazy to have TLS1.1 and 1.2 disabled, but corporates be corporates and I can't fix their security policies)
The text was updated successfully, but these errors were encountered: