crypto/tls: remove the tls10server GODEBUG setting

Updates #75316

Change-Id: I43e7311777fb79b9486a05c8e8d3a42e6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/777383
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

doc/godebug.md

@@ -164,6 +164,8 @@ Go 1.27 removed the `tlsrsakex` setting, as noted in the [Go 1.22](#go-122) sect
 
 Go 1.27 removed the `tls3des` setting, as noted in the [Go 1.23](#go-123) section.
 
+Go 1.27 removed the `tls10server` setting, as noted in the [Go 1.22](#go-122) section.
+
 Go 1.27 added a new `htmlmetacontenturlescape` setting that controls whether
 html/template will escape URLs in the `url=` portion of the content attribute of
 HTML meta tags. The default `htmlmetacontentescape=1` will cause URLs to be

src/crypto/tls/common.go

@@ -788,9 +788,6 @@ type Config struct {
 	//
 	// By default, TLS 1.2 is currently used as the minimum. TLS 1.0 is the
 	// minimum supported by this package.
-	//
-	// The server-side default can be reverted to TLS 1.0 by including the value
-	// "tls10server=1" in the GODEBUG environment variable.
 	MinVersion uint16
 
 	// MaxVersion contains the maximum TLS version that is acceptable.
@@ -1219,8 +1216,6 @@ var supportedVersions = []uint16{
 const roleClient = true
 const roleServer = false
 
-var tls10server = godebug.New("tls10server")
-
 // supportedVersions returns the list of supported TLS versions, sorted from
 // highest to lowest (and hence also in preference order).
 func (c *Config) supportedVersions(isClient bool) []uint16 {
@@ -1230,9 +1225,7 @@ func (c *Config) supportedVersions(isClient bool) []uint16 {
 			continue
 		}
 		if (c == nil || c.MinVersion == 0) && v < VersionTLS12 {
-			if isClient || tls10server.Value() != "1" {
-				continue
-			}
+			continue
 		}
 		if isClient && c.EncryptedClientHelloConfigList != nil && v < VersionTLS13 {
 			continue

src/crypto/tls/handshake_server.go

@@ -209,11 +209,6 @@ func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, *echServer
 		return nil, nil, errors.New("tls: Encrypted Client Hello cannot be used pre-TLS 1.3")
 	}
 
-	if c.config.MinVersion == 0 && c.vers < VersionTLS12 {
-		tls10server.Value() // ensure godebug is initialized
-		tls10server.IncNonDefault()
-	}
-
 	return clientHello, ech, nil
 }
 

src/internal/godebugs/table.go

@@ -60,7 +60,6 @@ var All = []Info{
 	{Name: "randseednop", Package: "math/rand", Changed: 24, Old: "0"},
 	{Name: "rsa1024min", Package: "crypto/rsa", Changed: 24, Old: "0"},
 	{Name: "tarinsecurepath", Package: "archive/tar"},
-	{Name: "tls10server", Package: "crypto/tls", Changed: 22, Old: "1"},
 	{Name: "tlsmaxrsasize", Package: "crypto/tls"},
 	{Name: "tlsmlkem", Package: "crypto/tls", Changed: 24, Old: "0", Opaque: true},
 	{Name: "tlssecpmlkem", Package: "crypto/tls", Changed: 26, Old: "0", Opaque: true},
@@ -99,6 +98,7 @@ var Removed = []RemovedInfo{
 	{Name: "tlsunsafeekm", Removed: 27}, // Old: "1"
 	{Name: "tlsrsakex", Removed: 27},    // Old: "1"
 	{Name: "tls3des", Removed: 27},      // Old: "1"
+	{Name: "tls10server", Removed: 27},  // Old: "1"
 }
 
 // Lookup returns the Info with the given name.

src/runtime/metrics/doc.go

@@ -377,10 +377,6 @@ Below is the full list of supported metrics, ordered lexicographically.
 		package due to a non-default GODEBUG=tarinsecurepath=...
 		setting.
 
-	/godebug/non-default-behavior/tls10server:events
-		The number of non-default behaviors executed by the crypto/tls
-		package due to a non-default GODEBUG=tls10server=... setting.
-
 	/godebug/non-default-behavior/tlsmaxrsasize:events
 		The number of non-default behaviors executed by the crypto/tls
 		package due to a non-default GODEBUG=tlsmaxrsasize=... setting.