crypto/tls: don't send NPN extension if NextProtos is not set.

This isn't clearly a bug on Go's part, but it triggers a bug in Firefox
which means that crypto/tls and net/http cannot be wired up together
unless NextProtos includes "http/1.1". When net/http sets up the
tls.Config, it does this and so works fine. But anyone setting up the
tls.Config themselves will hit the Firefox bug.

Fixes #5445.

R=golang-dev, bradfitz, r
CC=golang-dev
https://golang.org/cl/9539045

diff --git a/src/pkg/crypto/tls/handshake_server.go b/src/pkg/crypto/tls/handshake_server.go
index 823730c605c00eff5c96dffaf380834d208dc837..6c40489b53592cef4d371846ddf33ec6ced5efd5 100644 (file)
--- a/src/pkg/crypto/tls/handshake_server.go
+++ b/src/pkg/crypto/tls/handshake_server.go
@@ -156,7 +156,11 @@ Curves:
        if len(hs.clientHello.serverName) > 0 {
                c.serverName = hs.clientHello.serverName
        }
-       if hs.clientHello.nextProtoNeg {
+       // Although sending an empty NPN extension is reasonable, Firefox has
+       // had a bug around this. Best to send nothing at all if
+       // config.NextProtos is empty. See
+       // https://code.google.com/p/go/issues/detail?id=5445.
+       if hs.clientHello.nextProtoNeg && len(config.NextProtos) > 0 {
                hs.hello.nextProtoNeg = true
                hs.hello.nextProtos = config.NextProtos
        }