net/http: http.Client starts returning errors when tls.Config is shared

[ioan994]

Go version

go version go1.24.2 darwin/amd64

Output of go env in your module/workspace:

AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE='on'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/ipetrenko/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/ipetrenko/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/ml/f6gwv9sn1s91hbj0fzqkswy40000gn/T/go-build2838209554=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='amd64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/ipetrenko/test/client/go.mod'
GOMODCACHE='/Users/ipetrenko/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/ipetrenko/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/ipetrenko/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.24.2.darwin-amd64'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/ipetrenko/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/ipetrenko/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.24.2.darwin-amd64/pkg/tool/darwin_amd64'
GOVCS=''
GOVERSION='go1.24.2'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

Please take a look and run the test snippet below.

import (
	"crypto/tls"
	"net/http"
	"testing"
)

func TestClient(t *testing.T) {
	config := tls.Config{InsecureSkipVerify: true}

	transport1 := &http.Transport{
		TLSClientConfig: &config,
	}
	client1 := &http.Client{Transport: transport1}
	_, err1 := client1.Get("https://www.google.com")
	if err1 != nil {
		t.Error(err1)
	}

	transport2 := &http.Transport{
		ForceAttemptHTTP2: true,
		TLSClientConfig:   &config,
	}
	client2 := &http.Client{Transport: transport2}
	_, err2 := client2.Get("https://www.google.com")
	if err2 != nil {
		t.Error(err2)
	}

	_, err3 := client1.Get("https://www.google.com")
	if err3 != nil {
		t.Error(err3)
	}
}

I created a singe tls.Config object that is shared in two different http.Transport objects. According to the following comment from the crypto/tls/common.go file, config explicitly allows its reuse:

// A Config structure is used to configure a TLS client or server.
// After one has been passed to a TLS function it must not be
// modified. A Config may be reused; the tls package will also not
// modify it.
type Config struct {

One of the transport objects has ForceAttemptHTTP2 field set to true. I use those two http.Transport objects to create two http.Client objects and perform a Get request to www.google.com.

What did you see happen?

First, and second requests succeed. The third request attempt _, err3 := client1.Get("https://www.google.com") errors out and causes the test to fail. It appears that using the client2 to perform a Get request leads to some changes to the tls.Config struct, which breaks the client1 for some reason.

This behaviour is unexpected, because tls.Config documentation promotes sharing of the config object.

What did you expect to see?

I expect all requests to succeed, and test case not fail.

[gabyhelp]

Related Issues

• crypto/tls: should apply default NextProtos to the result of GetConfigForClient #70214
• net/http: Cloning a transport and disabling http2 makes requests fail. #50571 (closed)
• net/http/httptest: NewTLSServer doesn't support HTTP/2 requests #34939 (closed)
• net/http: potential client transport lock contention on high CPU core count machines #41238
• net/http/httptest: Server.Close mutates http.DefaultTransport #65796 (closed)
• net/http: HTTP/2 with MaxConnsPerHost hangs or crashes #34941 (closed)
• net/http: ConfigureTransport does not work for Transport with custom DialTLS #41236
• net/http: Transport.Clone breaks HTTP/2 #39302
• net/http/httptest: StartTLS() does not use `GetCertificate` if provided #73512 (closed)
• net/http: nil panic while doing (*Transport).Clone() #40565 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[ioan994]

@seankhliao In my example example I'm not using Transport.Clone, nor am I trying to disable http2. I have two separate Transport objects that affect one another by modifying tls.Config object, breaking the promise that A Config may be reused; the tls package will also not modify it. My version of golang also has the following bugfix: https://go-review.googlesource.com/c/go/+/654875/4/src/net/http/server.go, the issue is still happening.

Can you elaborate how is this a duplicate?

[seankhliao]

Only the TLS package doesn't modify tls.Config, the same is not true of other packages such as net/http.
And you are disabling http2, through the use of a non default tls.Config.

[ioan994]

So what do I need to do in this case? I can call Config.Clone() every time when I create a Transport object, but it does only a shallow copy. There is no guarantee anywhere that this is going to be enough.

[christophberger]

@ioan994 I added two log statements to the client2 call:

	t.Logf("Initial Config: %+v", config)
	_, err2 := client2.Get("https://www.google.com")
	if err2 != nil {
		t.Error(err2)
	}
	t.Logf("After get: %+v", config)

The output differs in the NextProto field only:

Full output (spaces inserted by me):

{Rand:<nil> Time:<nil> Certificates:[] NameToCertificate:map[] GetCertificate:<nil> GetClientCertificate:<nil> GetConfigForClient:<nil> VerifyPeerCertificate:<nil> VerifyConnection:<nil> RootCAs:<nil> NextProtos:[]            ServerName: ClientAuth:NoClientCert ClientCAs:<nil> InsecureSkipVerify:true CipherSuites:[] PreferServerCipherSuites:false SessionTicketsDisabled:false SessionTicketKey:[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] ClientSessionCache:<nil> UnwrapSession:<nil> WrapSession:<nil> MinVersion:0 MaxVersion:0 CurvePreferences:[] DynamicRecordSizingDisabled:false Renegotiation:0 KeyLogWriter:<nil> EncryptedClientHelloConfigList:[] EncryptedClientHelloRejectionVerify:<nil> EncryptedClientHelloKeys:[] mutex:{w:{_:{} mu:{state:0 sema:0}} writerSem:0 readerSem:0 readerCount:{_:{} v:0} readerWait:{_:{} v:0}} sessionTicketKeys:[] autoSessionTicketKeys:[]}
{Rand:<nil> Time:<nil> Certificates:[] NameToCertificate:map[] GetCertificate:<nil> GetClientCertificate:<nil> GetConfigForClient:<nil> VerifyPeerCertificate:<nil> VerifyConnection:<nil> RootCAs:<nil> NextProtos:[h2 http/1.1] ServerName: ClientAuth:NoClientCert ClientCAs:<nil> InsecureSkipVerify:true CipherSuites:[] PreferServerCipherSuites:false SessionTicketsDisabled:false SessionTicketKey:[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] ClientSessionCache:<nil> UnwrapSession:<nil> WrapSession:<nil> MinVersion:0 MaxVersion:0 CurvePreferences:[] DynamicRecordSizingDisabled:false Renegotiation:0 KeyLogWriter:<nil> EncryptedClientHelloConfigList:[] EncryptedClientHelloRejectionVerify:<nil> EncryptedClientHelloKeys:[] mutex:{w:{_:{} mu:{state:0 sema:0}} writerSem:0 readerSem:0 readerCount:{_:{} v:0} readerWait:{_:{} v:0}} sessionTicketKeys:[] autoSessionTicketKeys:[]}

@seankhliao Seems like https://go-review.googlesource.com/c/go/+/677315 mentioned in #39302 would indeed be a fix for this issue...?