Golang crypto/tls: TLS handshake timeout consistently on Windows VM LTSC2019 with private IP

Go version

go version go1.24.2

Output of go env in your module/workspace:

AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/usr/local/google/home/anishshah/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/usr/local/google/home/anishshah/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2073030948=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/dev/null'
GOMODCACHE='/usr/local/google/home/anishshah/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/usr/local/google/home/anishshah/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/lib/go-1.24'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/usr/local/google/home/anishshah/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/lib/go-1.24/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.2'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

The repro script was executed on GCE Windows VMs, specifically LTSC2019 and LTSC2022 versions, configured with private IP addresses only.

package main

import (
    "fmt"
    "net"
    "net/http"
    "time"
)

func DefaultHTTPTransport() *http.Transport {
    return &http.Transport{
        Proxy: http.ProxyFromEnvironment,
        DialContext: (&net.Dialer{
            Timeout:       30 * time.Second,
            KeepAlive:     30 * time.Second,
            FallbackDelay: 300 * time.Millisecond,
        }).DialContext,
        MaxIdleConns:          10,
        IdleConnTimeout:       30 * time.Second,
        TLSHandshakeTimeout:   10 * time.Second,
        TLSClientConfig:       nil,
        ExpectContinueTimeout: 5 * time.Second,
    }
}

// sendHeadRequest sends a HEAD request to the given URL using the provided http.RoundTripper.
// It returns the HTTP response and an error if one occurred.
func sendHeadRequest(transport http.RoundTripper, url string) (*http.Response, error) {
    // Create an http.Client that uses the provided transport.
    client := &http.Client{
        Transport: transport,
    }

    // Create a new HEAD request.
    req, err := http.NewRequest(http.MethodHead, url, nil)
    if err != nil {
        return nil, fmt.Errorf("failed to create HEAD request: %w", err)
    }

    // Send the request using the client.
    resp, err := client.Do(req)
    if err != nil {
        return nil, fmt.Errorf("failed to send HEAD request: %w", err)
    }

    return resp, nil
}

func main() {
    fmt.Println("--- Using Default Transport ---")

    resp, err := sendHeadRequest(DefaultHTTPTransport(), "https://us-central1-artifactregistry.gcr.io/v2/gke-release-staging/gke-release-staging/csi-node-driver-registrar/manifests/sha256:1676e429022dca0bf2b54c0a18dc27e12ba01a49124ad72e86fd1a16aede024b")
    if err != nil {
        fmt.Printf("Error with default transport: %v\n", err)
    } else {
        fmt.Printf("Default Transport Status: %s\n", resp.Status)
        resp.Body.Close() // Always close the response body
    }
}

What did you see happen?

On Windows LTSC2019: The script consistently fails with TLS handshake timeout On Windows LTSC2022: The script outputs 401 Unauthorized (expected)

What did you expect to see?

On Windows LTSC2019, I expected successful TLS handshake and output 401 Unauthoriized.

Comment From: gabyhelp

Related Issues

• crypto/tls: TLS handshake timeout #44267 (closed)
• net/http: Get request hangs until timeout, but responds immediately over curl #61823 (closed)
• crypto/tls: handshake failure negotiating TLS 1.3 with JDK11 #37808 (closed)
• crypto/tls: TLS handshake swallows errors #14539 (closed)
• crypto/tls: https request, tls handshake failure in go1.22 #66512 (closed)
• crypto/tls: handleRenegotiation blocking forever #23470 (closed)
• crypto/tls: remote error: tls: handshake failure #46270 (closed)
• net/http: TLS handshake timeout #71124 (closed)

Related Discussions

• TLS handshake timeouts
• Regression in Go 1.2rc2 - TLS Handshake Error

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

Comment From: dmitshur

Thanks for the report. So the problem happens with the same Go program in an older Windows LTSC and doesn't happen in a newer Windows LTSC. Is the crypto/tls implementation in Go doing something differently depending on the version of Windows?

CC @golang/windows, @golang/security.

Comment From: AnishShah

It works on:

Windows LTSC2019 with public ip Windows LTSC2022 with private or public Ip

It does not work on:

Windows LTSC2019 with private ip