net/http and TLS; aborts connection from browser

<p>tl;dr: Has anyone run into a problem with Go net/http and TLS where browser connections abort but other clients are fine?</p> <p>I haven&#39;t dug into the root cause for this, but I was curious if anyone else has seen this behavior. I have a standard net/http server with organization-signed key and cert PEM files (and intermediate keys), set up to communicate over TLS only. It works reasonably well with browsers and a Citrix NetScaler -- except when it doesn&#39;t. I&#39;ll get as fewer than two (2) in 10,000 requests abort under normal conditions, with the occasional spike to 400 or more in 10,000 requests.</p> <p>The Go server is behind the NetScaler which provides a real certificate (signed by DigiCert, wildcard name) and proxies requests. TLS is used between the Go server and the NetScaler because of security requirements around the information transferred.</p> <p>When running with TLS in my development environment, I can get an &#34;Abort&#34; on an HTTPS connection within the first 250 (or so) requests from Firefox. When running with TLS in either my development environment or against the production server, and when I&#39;m using Python as my client, I get no errors with about 250,000 requests (parallel clients). When running without TLS in standard HTTP/1.1 mode, there are no errors with any client (Firefox or Python).</p> <p>The Go version is 1.7.5 Darwin and also 1.7.5 Linux. I&#39;ve experienced the error both with the default Go muxer and httprouter.</p> <p>For the curious, here&#39;s the function used to initialize the HTTP server with TLS:</p> <pre><code>func ListenAndServe(addr string, handler http.Handler) error { // get the read timeout: this keeps the HTTP server from hanging readTimeout := Config.GetDuration(&#34;server.timeout.read&#34;) // get the write timeout: this lets HTTP clients timeout if we don&#39;t reply in a timely manner writeTimeout := Config.GetDuration(&#34;server.timeout.write&#34;) // TLS configuration var tlsConfig *tls.Config var certFile, keyFile string isTls := Config.GetBool(&#34;server.tls&#34;) if isTls { certFile = Config.GetProperty(&#34;server.tls.cert&#34;) keyFile = Config.GetProperty(&#34;server.tls.key&#34;) insecureSkipVerify := Config.GetBool(&#34;server.tls.insecure.cert&#34;) cert, err := tls.LoadX509KeyPair(certFile, keyFile) if err != nil { os.Stderr.WriteString(&#34;FATAL: error building TLS configuration: &#34; + string(err.Error()) + &#34;\n&#34;) exit(2) } tlsConfig = &amp;tls.Config{ Certificates: []tls.Certificate{cert}, InsecureSkipVerify: insecureSkipVerify, } } // configure the server server := &amp;http.Server{ ReadTimeout: readTimeout * time.Second, WriteTimeout: writeTimeout * time.Second, Addr: addr, TLSConfig: tlsConfig, Handler: handler, } // serve with or without TLS, based on configuration if isTls { return server.ListenAndServeTLS(certFile, keyFile) } else { return server.ListenAndServe() } } </code></pre> <p><em>Edit: code formatting</em></p>