net/http: ListenAndServeTLS closing connection to IE10 and IE11 when only TLSv1.0 is permitted

[kmckelvin]

What version of Go are you using (go version)?

go version go1.7.1 linux/amd64

This also occurred on go1.6.1.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/kevin/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build495107859=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

What did you do?

A Go executable serving on port 443 using

http.ListenAndServeTLS(":443", sslConfig.CertFilePath, sslConfig.KeyFilePath, handler)

We haven't made any specific TLS changes.

What did you expect to see?

When making a HTTPS request to the running server it should have responded with the 200 OK response.

What did you see instead?

When connecting from a Windows machine with SSL 2.0, SSL 3.0 and TLS 1.0 enabled as follows -

IE10+ fails to connect to the server over HTTPS

I've noticed that Caddy-based servers have the same problem. TLS1.0 shows as enabled when analyzing our SSL config through ssllabs.com

• Disabling SSL 2.0 and SSL 3.0 in Windows settings, so that only TLS1.0 is enabled, works.
• Enabling any later version of TLS (1.1 or 1.2) alongside SSLv2 and SSLv3 works.

It's just this one config set that seems to have a problem connecting to Go's HTTP stack (it has no problem connecting to an equivalently configured nginx instance for example, over TLS1.0).

(Yes it's crazy to have TLS1.1 and 1.2 disabled, but corporates be corporates and I can't fix their security policies)

[bradfitz]

Are you using HTTP/2?

If so, HTTP/2 requires TLS 1.2 (http://httpwg.org/specs/rfc7540.html#rfc.section.9.2).

The only thing I can think of is that you're getting into the HTTP/2 path and it's rejecting it there.

But please collect more logs. What does Go say? Any error logs reported?

[kmckelvin]

@bradfitz yes we're using HTTP/2, but we haven't done anything to disable HTTP/1.1, and it works when only TLS1.1 is enabled instead of TLS 1.0.

I'm picking this up from the logs

2016/09/29 17:34:37 http: TLS handshake error from 10.142.0.3:53817: tls: unsupported SSLv2 handshake received
2016/09/29 17:34:37 http: TLS handshake error from 10.142.0.2:53818: tls: unsupported SSLv2 handshake received
2016/09/29 17:34:37 http: TLS handshake error from 10.142.0.3:53819: tls: unsupported SSLv2 handshake received
2016/09/29 17:34:37 http: TLS handshake error from 10.12.5.1:53820: tls: unsupported SSLv2 handshake received
2016/09/29 17:34:37 http: TLS handshake error from 10.142.0.4:53821: tls: unsupported SSLv2 handshake received
2016/09/29 17:34:37 http: TLS handshake error from 10.142.0.2:53822: tls: unsupported SSLv2 handshake received

[bradfitz]

Oh, this is a dup of #3930 and #3677.

Sorry, this isn't going to be fixed. See decision in https://golang.org/cl/20094 and #3930