What version of Go are you using (go version)?

$ go version
go version go1.12.9 darwin/amd64

Does this issue reproduce with the latest release?

Yes. 1.12.9 is the latest release now.

What did you do? - Test code

Here is very simple HTTPS server code. You can choose &tls.Config{} or &tls.Config{MinVersion: tls.VersionTLS10} by the comment.

// main.go
package main

import (
	"crypto/tls"
	"fmt"
	"log"
	"net/http"
)

func main() {
	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		_, _ = fmt.Fprintln(w, "<h1>hello, world</h1>")
	})

	// Start HTTP server
	fmt.Println("Listening...")

	// TLS config
	// NOTE: Switch by comment
	tlsConfig := &tls.Config{}
	//tlsConfig := &tls.Config{MinVersion: tls.VersionTLS10}

	server := &http.Server{Addr: ":8443", Handler: handler, TLSConfig: tlsConfig}
	// Start HTTPS server
	if err := server.ListenAndServeTLS("./ssl_certs/server.crt", "./ssl_certs/server.key"); err != nil {
		log.Fatal(err.Error())
	}
}

Run

go run main.go

What did you expect to see? & What did you see instead?

Testing

I use the following command to confirm whether SSLv3 is supported or not.

openssl s_client -connect localhost:8443 -ssl3

When using &tls.Config{}, SSLv3 is NOT rejected.
When using &tls.Config{MinVersion: tls.VersionTLS10}, SSLv3 is rejected and the server emits "http: TLS handshake error from 127.0.0.1:65528: tls: client offered only unsupported versions: [300]", which is my expectation.

I expect both &tls.Config{} and &tls.Config{MinVersion: tls.VersionTLS10} cases reject SSLv3, but that was not true. The official document says "If zero, then TLS 1.0 is taken as the minimum" like the following.

Document

// MinVersion contains the minimum SSL/TLS version that is acceptable.
// If zero, then TLS 1.0 is taken as the minimum.
MinVersion uint16

from: tls - The Go Programming Language

In the document, MinVersion should be TLS 1.0, so I think it rejects SSLv3. However, the server allows SSLv3.