Proposal Details
The crypto/tls package requires tls.Config.MinVersion >= VersionTLS13 for QUIC connections to enforce RFC 9001's TLS 1.3 requirement.
This forces QUIC implementations and users to clone the tls.Config when sharing it between TCP (which may allow TLS 1.2+) and QUIC. Cloning adds overhead and is problematic after changes to Config.Clone (see #77113) and other QUIC workarounds (see #77363).
A common use case is a dual-stack HTTP server supporting HTTP/2 (TLS 1.2+) and HTTP/3 (TLS 1.3 only) with a single shared tls.Config where MinVersion = VersionTLS12.
Proposal
Remove the explicit MinVersion check for QUIC. When a tls.Config is used in QUIC context, internally clamp the effective minimum to VersionTLS13 while preserving the original value for non-QUIC use.
This would:
- Remove a major reason to clone
tls.Config for QUIC.
- Simplify dual-stack server configurations.
- Leave QUIC-only
Configs unaffected.
Proposal Details
The
crypto/tlspackage requirestls.Config.MinVersion >= VersionTLS13for QUIC connections to enforce RFC 9001's TLS 1.3 requirement.This forces QUIC implementations and users to clone the
tls.Configwhen sharing it between TCP (which may allow TLS 1.2+) and QUIC. Cloning adds overhead and is problematic after changes toConfig.Clone(see #77113) and other QUIC workarounds (see #77363).A common use case is a dual-stack HTTP server supporting HTTP/2 (TLS 1.2+) and HTTP/3 (TLS 1.3 only) with a single shared
tls.ConfigwhereMinVersion = VersionTLS12.Proposal
Remove the explicit
MinVersioncheck for QUIC. When atls.Configis used in QUIC context, internally clamp the effective minimum toVersionTLS13while preserving the original value for non-QUIC use.This would:
tls.Configfor QUIC.Configs unaffected.