From 171fcf6b79f8f43db9eebd2ddbe030f7100d3eb9 Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Wed, 18 Mar 2020 23:16:11 -0700
Subject: [PATCH] If connection closing is enabled then don't support HTTP/2

---
 listener.go | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/listener.go b/listener.go
index 27b0c5b..2d61de4 100644
--- a/listener.go
+++ b/listener.go
@@ -61,6 +61,9 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 	dynamicListener.tlsConfig.GetCertificate = dynamicListener.getCertificate
 
 	if config.CloseConnOnCertChange {
+		if len(dynamicListener.tlsConfig.Certificates) == 0 {
+			dynamicListener.tlsConfig.NextProtos = []string{"http/1.1"}
+		}
 		dynamicListener.conns = map[int]*closeWrapper{}
 	}
 
@@ -284,14 +287,13 @@ func (l *listener) updateCert(cn ...string) error {
 		}
 		// clear version to force cert reload
 		l.version = ""
-	}
-
-	if l.conns != nil {
-		l.connLock.Lock()
-		for _, conn := range l.conns {
-			_ = conn.close()
+		if l.conns != nil {
+			l.connLock.Lock()
+			for _, conn := range l.conns {
+				_ = conn.close()
+			}
+			l.connLock.Unlock()
 		}
-		l.connLock.Unlock()
 	}
 
 	return nil