]> Cypherpunks.ru repositories - gostls13.git/blobdiff - src/net/http/client_test.go
crypto/tls: remove RSA KEX ciphers from the default list
[gostls13.git] / src / net / http / client_test.go
index 7dfd078a4189930fc55552c48a88036cb5d9be23..7459b9cb6ed1df3a42d4ed54a54abc8748b3dffd 100644 (file)
@@ -10,12 +10,11 @@ import (
        "bytes"
        "context"
        "crypto/tls"
-       "crypto/x509"
        "encoding/base64"
        "errors"
        "fmt"
+       "internal/testenv"
        "io"
-       "io/ioutil"
        "log"
        "net"
        . "net/http"
@@ -23,9 +22,11 @@ import (
        "net/http/httptest"
        "net/url"
        "reflect"
+       "runtime"
        "strconv"
        "strings"
        "sync"
+       "sync/atomic"
        "testing"
        "time"
 )
@@ -35,7 +36,7 @@ var robotsTxtHandler = HandlerFunc(func(w ResponseWriter, r *Request) {
        fmt.Fprintf(w, "User-agent: go\nDisallow: /something/")
 })
 
-// pedanticReadAll works like ioutil.ReadAll but additionally
+// pedanticReadAll works like io.ReadAll but additionally
 // verifies that r obeys the documented io.Reader contract.
 func pedanticReadAll(r io.Reader) (b []byte, err error) {
        var bufa [64]byte
@@ -59,19 +60,12 @@ func pedanticReadAll(r io.Reader) (b []byte, err error) {
        }
 }
 
-type chanWriter chan string
+func TestClient(t *testing.T) { run(t, testClient) }
+func testClient(t *testing.T, mode testMode) {
+       ts := newClientServerTest(t, mode, robotsTxtHandler).ts
 
-func (w chanWriter) Write(p []byte) (n int, err error) {
-       w <- string(p)
-       return len(p), nil
-}
-
-func TestClient(t *testing.T) {
-       defer afterTest(t)
-       ts := httptest.NewServer(robotsTxtHandler)
-       defer ts.Close()
-
-       r, err := Get(ts.URL)
+       c := ts.Client()
+       r, err := c.Get(ts.URL)
        var b []byte
        if err == nil {
                b, err = pedanticReadAll(r.Body)
@@ -84,14 +78,9 @@ func TestClient(t *testing.T) {
        }
 }
 
-func TestClientHead_h1(t *testing.T) { testClientHead(t, h1Mode) }
-func TestClientHead_h2(t *testing.T) { testClientHead(t, h2Mode) }
-
-func testClientHead(t *testing.T, h2 bool) {
-       defer afterTest(t)
-       cst := newClientServerTest(t, h2, robotsTxtHandler)
-       defer cst.close()
-
+func TestClientHead(t *testing.T) { run(t, testClientHead) }
+func testClientHead(t *testing.T, mode testMode) {
+       cst := newClientServerTest(t, mode, robotsTxtHandler)
        r, err := cst.c.Head(cst.ts.URL)
        if err != nil {
                t.Fatal(err)
@@ -111,6 +100,7 @@ func (t *recordingTransport) RoundTrip(req *Request) (resp *Response, err error)
 }
 
 func TestGetRequestFormat(t *testing.T) {
+       setParallel(t)
        defer afterTest(t)
        tr := &recordingTransport{}
        client := &Client{Transport: tr}
@@ -187,7 +177,7 @@ func TestPostFormRequestFormat(t *testing.T) {
        if g, e := tr.req.ContentLength, int64(len(expectedBody)); g != e {
                t.Errorf("got ContentLength %d, want %d", g, e)
        }
-       bodyb, err := ioutil.ReadAll(tr.req.Body)
+       bodyb, err := io.ReadAll(tr.req.Body)
        if err != nil {
                t.Fatalf("ReadAll on req.Body: %v", err)
        }
@@ -196,11 +186,10 @@ func TestPostFormRequestFormat(t *testing.T) {
        }
 }
 
-func TestClientRedirects(t *testing.T) {
-       setParallel(t)
-       defer afterTest(t)
+func TestClientRedirects(t *testing.T) { run(t, testClientRedirects) }
+func testClientRedirects(t *testing.T, mode testMode) {
        var ts *httptest.Server
-       ts = httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       ts = newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                n, _ := strconv.Atoi(r.FormValue("n"))
                // Test Referer header. (7 is arbitrary position to test at)
                if n == 7 {
@@ -213,54 +202,53 @@ func TestClientRedirects(t *testing.T) {
                        return
                }
                fmt.Fprintf(w, "n=%d", n)
-       }))
-       defer ts.Close()
+       })).ts
 
-       c := &Client{}
+       c := ts.Client()
        _, err := c.Get(ts.URL)
-       if e, g := "Get /?n=10: stopped after 10 redirects", fmt.Sprintf("%v", err); e != g {
+       if e, g := `Get "/?n=10": stopped after 10 redirects`, fmt.Sprintf("%v", err); e != g {
                t.Errorf("with default client Get, expected error %q, got %q", e, g)
        }
 
        // HEAD request should also have the ability to follow redirects.
        _, err = c.Head(ts.URL)
-       if e, g := "Head /?n=10: stopped after 10 redirects", fmt.Sprintf("%v", err); e != g {
+       if e, g := `Head "/?n=10": stopped after 10 redirects`, fmt.Sprintf("%v", err); e != g {
                t.Errorf("with default client Head, expected error %q, got %q", e, g)
        }
 
        // Do should also follow redirects.
        greq, _ := NewRequest("GET", ts.URL, nil)
        _, err = c.Do(greq)
-       if e, g := "Get /?n=10: stopped after 10 redirects", fmt.Sprintf("%v", err); e != g {
+       if e, g := `Get "/?n=10": stopped after 10 redirects`, fmt.Sprintf("%v", err); e != g {
                t.Errorf("with default client Do, expected error %q, got %q", e, g)
        }
 
        // Requests with an empty Method should also redirect (Issue 12705)
        greq.Method = ""
        _, err = c.Do(greq)
-       if e, g := "Get /?n=10: stopped after 10 redirects", fmt.Sprintf("%v", err); e != g {
+       if e, g := `Get "/?n=10": stopped after 10 redirects`, fmt.Sprintf("%v", err); e != g {
                t.Errorf("with default client Do and empty Method, expected error %q, got %q", e, g)
        }
 
        var checkErr error
        var lastVia []*Request
        var lastReq *Request
-       c = &Client{CheckRedirect: func(req *Request, via []*Request) error {
+       c.CheckRedirect = func(req *Request, via []*Request) error {
                lastReq = req
                lastVia = via
                return checkErr
-       }}
+       }
        res, err := c.Get(ts.URL)
        if err != nil {
                t.Fatalf("Get error: %v", err)
        }
        res.Body.Close()
-       finalUrl := res.Request.URL.String()
+       finalURL := res.Request.URL.String()
        if e, g := "<nil>", fmt.Sprintf("%v", err); e != g {
                t.Errorf("with custom client, expected error %q, got %q", e, g)
        }
-       if !strings.HasSuffix(finalUrl, "/?n=15") {
-               t.Errorf("expected final url to end in /?n=15; got url %q", finalUrl)
+       if !strings.HasSuffix(finalURL, "/?n=15") {
+               t.Errorf("expected final url to end in /?n=15; got url %q", finalURL)
        }
        if e, g := 15, len(lastVia); e != g {
                t.Errorf("expected lastVia to have contained %d elements; got %d", e, g)
@@ -294,24 +282,25 @@ func TestClientRedirects(t *testing.T) {
        }
 }
 
-func TestClientRedirectContext(t *testing.T) {
-       setParallel(t)
-       defer afterTest(t)
-       ts := httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+// Tests that Client redirects' contexts are derived from the original request's context.
+func TestClientRedirectsContext(t *testing.T) { run(t, testClientRedirectsContext) }
+func testClientRedirectsContext(t *testing.T, mode testMode) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                Redirect(w, r, "/", StatusTemporaryRedirect)
-       }))
-       defer ts.Close()
+       })).ts
 
        ctx, cancel := context.WithCancel(context.Background())
-       c := &Client{CheckRedirect: func(req *Request, via []*Request) error {
+       c := ts.Client()
+       c.CheckRedirect = func(req *Request, via []*Request) error {
                cancel()
-               if len(via) > 2 {
-                       return errors.New("too many redirects")
+               select {
+               case <-req.Context().Done():
+                       return nil
+               case <-time.After(5 * time.Second):
+                       return errors.New("redirected request's context never expired after root request canceled")
                }
-               return nil
-       }}
-       req, _ := NewRequest("GET", ts.URL, nil)
-       req = req.WithContext(ctx)
+       }
+       req, _ := NewRequestWithContext(ctx, "GET", ts.URL, nil)
        _, err := c.Do(req)
        ue, ok := err.(*url.Error)
        if !ok {
@@ -344,29 +333,31 @@ func TestPostRedirects(t *testing.T) {
        wantSegments := []string{
                `POST / "first"`,
                `POST /?code=301&next=302 "c301"`,
-               `GET /?code=302 "c301"`,
-               `GET / "c301"`,
+               `GET /?code=302 ""`,
+               `GET / ""`,
                `POST /?code=302&next=302 "c302"`,
-               `GET /?code=302 "c302"`,
-               `GET / "c302"`,
+               `GET /?code=302 ""`,
+               `GET / ""`,
                `POST /?code=303&next=301 "c303wc301"`,
-               `GET /?code=301 "c303wc301"`,
-               `GET / "c303wc301"`,
+               `GET /?code=301 ""`,
+               `GET / ""`,
                `POST /?code=304 "c304"`,
                `POST /?code=305 "c305"`,
                `POST /?code=307&next=303,308,302 "c307"`,
                `POST /?code=303&next=308,302 "c307"`,
-               `GET /?code=308&next=302 "c307"`,
+               `GET /?code=308&next=302 ""`,
                `GET /?code=302 "c307"`,
-               `GET / "c307"`,
+               `GET / ""`,
                `POST /?code=308&next=302,301 "c308"`,
                `POST /?code=302&next=301 "c308"`,
-               `GET /?code=301 "c308"`,
-               `GET / "c308"`,
+               `GET /?code=301 ""`,
+               `GET / ""`,
                `POST /?code=404 "c404"`,
        }
        want := strings.Join(wantSegments, "\n")
-       testRedirectsByMethod(t, "POST", postRedirectTests, want)
+       run(t, func(t *testing.T, mode testMode) {
+               testRedirectsByMethod(t, mode, "POST", postRedirectTests, want)
+       })
 }
 
 func TestDeleteRedirects(t *testing.T) {
@@ -383,50 +374,54 @@ func TestDeleteRedirects(t *testing.T) {
        wantSegments := []string{
                `DELETE / "first"`,
                `DELETE /?code=301&next=302,308 "c301"`,
-               `GET /?code=302&next=308 "c301"`,
-               `GET /?code=308 "c301"`,
+               `GET /?code=302&next=308 ""`,
+               `GET /?code=308 ""`,
                `GET / "c301"`,
                `DELETE /?code=302&next=302 "c302"`,
-               `GET /?code=302 "c302"`,
-               `GET / "c302"`,
+               `GET /?code=302 ""`,
+               `GET / ""`,
                `DELETE /?code=303 "c303"`,
-               `GET / "c303"`,
+               `GET / ""`,
                `DELETE /?code=307&next=301,308,303,302,304 "c307"`,
                `DELETE /?code=301&next=308,303,302,304 "c307"`,
-               `GET /?code=308&next=303,302,304 "c307"`,
+               `GET /?code=308&next=303,302,304 ""`,
                `GET /?code=303&next=302,304 "c307"`,
-               `GET /?code=302&next=304 "c307"`,
-               `GET /?code=304 "c307"`,
+               `GET /?code=302&next=304 ""`,
+               `GET /?code=304 ""`,
                `DELETE /?code=308&next=307 "c308"`,
                `DELETE /?code=307 "c308"`,
                `DELETE / "c308"`,
                `DELETE /?code=404 "c404"`,
        }
        want := strings.Join(wantSegments, "\n")
-       testRedirectsByMethod(t, "DELETE", deleteRedirectTests, want)
+       run(t, func(t *testing.T, mode testMode) {
+               testRedirectsByMethod(t, mode, "DELETE", deleteRedirectTests, want)
+       })
 }
 
-func testRedirectsByMethod(t *testing.T, method string, table []redirectTest, want string) {
-       defer afterTest(t)
+func testRedirectsByMethod(t *testing.T, mode testMode, method string, table []redirectTest, want string) {
        var log struct {
                sync.Mutex
                bytes.Buffer
        }
        var ts *httptest.Server
-       ts = httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       ts = newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                log.Lock()
-               slurp, _ := ioutil.ReadAll(r.Body)
-               fmt.Fprintf(&log.Buffer, "%s %s %q\n", r.Method, r.RequestURI, slurp)
+               slurp, _ := io.ReadAll(r.Body)
+               fmt.Fprintf(&log.Buffer, "%s %s %q", r.Method, r.RequestURI, slurp)
+               if cl := r.Header.Get("Content-Length"); r.Method == "GET" && len(slurp) == 0 && (r.ContentLength != 0 || cl != "") {
+                       fmt.Fprintf(&log.Buffer, " (but with body=%T, content-length = %v, %q)", r.Body, r.ContentLength, cl)
+               }
+               log.WriteByte('\n')
                log.Unlock()
                urlQuery := r.URL.Query()
                if v := urlQuery.Get("code"); v != "" {
                        location := ts.URL
                        if final := urlQuery.Get("next"); final != "" {
-                               splits := strings.Split(final, ",")
-                               first, rest := splits[0], splits[1:]
+                               first, rest, _ := strings.Cut(final, ",")
                                location = fmt.Sprintf("%s?code=%s", location, first)
-                               if len(rest) > 0 {
-                                       location = fmt.Sprintf("%s&next=%s", location, strings.Join(rest, ","))
+                               if rest != "" {
+                                       location = fmt.Sprintf("%s&next=%s", location, rest)
                                }
                        }
                        code, _ := strconv.Atoi(v)
@@ -435,14 +430,14 @@ func testRedirectsByMethod(t *testing.T, method string, table []redirectTest, wa
                        }
                        w.WriteHeader(code)
                }
-       }))
-       defer ts.Close()
+       })).ts
 
+       c := ts.Client()
        for _, tt := range table {
                content := tt.redirectBody
                req, _ := NewRequest(method, ts.URL+tt.suffix, strings.NewReader(content))
-               req.GetBody = func() (io.ReadCloser, error) { return ioutil.NopCloser(strings.NewReader(content)), nil }
-               res, err := DefaultClient.Do(req)
+               req.GetBody = func() (io.ReadCloser, error) { return io.NopCloser(strings.NewReader(content)), nil }
+               res, err := c.Do(req)
 
                if err != nil {
                        t.Fatal(err)
@@ -459,16 +454,32 @@ func testRedirectsByMethod(t *testing.T, method string, table []redirectTest, wa
        want = strings.TrimSpace(want)
 
        if got != want {
-               t.Errorf("Log differs.\n Got:\n%s\nWant:\n%s\n", got, want)
+               got, want, lines := removeCommonLines(got, want)
+               t.Errorf("Log differs after %d common lines.\n\nGot:\n%s\n\nWant:\n%s\n", lines, got, want)
        }
 }
 
-func TestClientRedirectUseResponse(t *testing.T) {
-       setParallel(t)
-       defer afterTest(t)
+func removeCommonLines(a, b string) (asuffix, bsuffix string, commonLines int) {
+       for {
+               nl := strings.IndexByte(a, '\n')
+               if nl < 0 {
+                       return a, b, commonLines
+               }
+               line := a[:nl+1]
+               if !strings.HasPrefix(b, line) {
+                       return a, b, commonLines
+               }
+               commonLines++
+               a = a[len(line):]
+               b = b[len(line):]
+       }
+}
+
+func TestClientRedirectUseResponse(t *testing.T) { run(t, testClientRedirectUseResponse) }
+func testClientRedirectUseResponse(t *testing.T, mode testMode) {
        const body = "Hello, world."
        var ts *httptest.Server
-       ts = httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       ts = newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                if strings.Contains(r.URL.Path, "/other") {
                        io.WriteString(w, "wrong body")
                } else {
@@ -476,15 +487,15 @@ func TestClientRedirectUseResponse(t *testing.T) {
                        w.WriteHeader(StatusFound)
                        io.WriteString(w, body)
                }
-       }))
-       defer ts.Close()
+       })).ts
 
-       c := &Client{CheckRedirect: func(req *Request, via []*Request) error {
+       c := ts.Client()
+       c.CheckRedirect = func(req *Request, via []*Request) error {
                if req.Response == nil {
                        t.Error("expected non-nil Request.Response")
                }
                return ErrUseLastResponse
-       }}
+       }
        res, err := c.Get(ts.URL)
        if err != nil {
                t.Fatal(err)
@@ -493,7 +504,7 @@ func TestClientRedirectUseResponse(t *testing.T) {
                t.Errorf("status = %d; want %d", res.StatusCode, StatusFound)
        }
        defer res.Body.Close()
-       slurp, err := ioutil.ReadAll(res.Body)
+       slurp, err := io.ReadAll(res.Body)
        if err != nil {
                t.Fatal(err)
        }
@@ -502,45 +513,47 @@ func TestClientRedirectUseResponse(t *testing.T) {
        }
 }
 
-// Issue 17773: don't follow a 308 (or 307) if the response doesn't
+// Issues 17773 and 49281: don't follow a 3xx if the response doesn't
 // have a Location header.
-func TestClientRedirect308NoLocation(t *testing.T) {
-       setParallel(t)
-       defer afterTest(t)
-       ts := httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
-               w.Header().Set("Foo", "Bar")
-               w.WriteHeader(308)
-       }))
-       defer ts.Close()
-       res, err := Get(ts.URL)
-       if err != nil {
-               t.Fatal(err)
-       }
-       res.Body.Close()
-       if res.StatusCode != 308 {
-               t.Errorf("status = %d; want %d", res.StatusCode, 308)
-       }
-       if got := res.Header.Get("Foo"); got != "Bar" {
-               t.Errorf("Foo header = %q; want Bar", got)
+func TestClientRedirectNoLocation(t *testing.T) { run(t, testClientRedirectNoLocation) }
+func testClientRedirectNoLocation(t *testing.T, mode testMode) {
+       for _, code := range []int{301, 308} {
+               t.Run(fmt.Sprint(code), func(t *testing.T) {
+                       setParallel(t)
+                       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+                               w.Header().Set("Foo", "Bar")
+                               w.WriteHeader(code)
+                       }))
+                       res, err := cst.c.Get(cst.ts.URL)
+                       if err != nil {
+                               t.Fatal(err)
+                       }
+                       res.Body.Close()
+                       if res.StatusCode != code {
+                               t.Errorf("status = %d; want %d", res.StatusCode, code)
+                       }
+                       if got := res.Header.Get("Foo"); got != "Bar" {
+                               t.Errorf("Foo header = %q; want Bar", got)
+                       }
+               })
        }
 }
 
 // Don't follow a 307/308 if we can't resent the request body.
-func TestClientRedirect308NoGetBody(t *testing.T) {
-       setParallel(t)
-       defer afterTest(t)
+func TestClientRedirect308NoGetBody(t *testing.T) { run(t, testClientRedirect308NoGetBody) }
+func testClientRedirect308NoGetBody(t *testing.T, mode testMode) {
        const fakeURL = "https://localhost:1234/" // won't be hit
-       ts := httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                w.Header().Set("Location", fakeURL)
                w.WriteHeader(308)
-       }))
-       defer ts.Close()
+       })).ts
        req, err := NewRequest("POST", ts.URL, strings.NewReader("some body"))
        if err != nil {
                t.Fatal(err)
        }
+       c := ts.Client()
        req.GetBody = nil // so it can't rewind.
-       res, err := DefaultClient.Do(req)
+       res, err := c.Do(req)
        if err != nil {
                t.Fatal(err)
        }
@@ -624,14 +637,12 @@ func (j *TestJar) Cookies(u *url.URL) []*Cookie {
        return j.perURL[u.Host]
 }
 
-func TestRedirectCookiesJar(t *testing.T) {
-       defer afterTest(t)
+func TestRedirectCookiesJar(t *testing.T) { run(t, testRedirectCookiesJar) }
+func testRedirectCookiesJar(t *testing.T, mode testMode) {
        var ts *httptest.Server
-       ts = httptest.NewServer(echoCookiesRedirectHandler)
-       defer ts.Close()
-       c := &Client{
-               Jar: new(TestJar),
-       }
+       ts = newClientServerTest(t, mode, echoCookiesRedirectHandler).ts
+       c := ts.Client()
+       c.Jar = new(TestJar)
        u, _ := url.Parse(ts.URL)
        c.Jar.SetCookies(u, []*Cookie{expectedCookies[0]})
        resp, err := c.Get(ts.URL)
@@ -661,9 +672,9 @@ func matchReturnedCookies(t *testing.T, expected, given []*Cookie) {
        }
 }
 
-func TestJarCalls(t *testing.T) {
-       defer afterTest(t)
-       ts := httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+func TestJarCalls(t *testing.T) { run(t, testJarCalls, []testMode{http1Mode}) }
+func testJarCalls(t *testing.T, mode testMode) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                pathSuffix := r.RequestURI[1:]
                if r.RequestURI == "/nosetcookie" {
                        return // don't set cookies for this path
@@ -672,16 +683,12 @@ func TestJarCalls(t *testing.T) {
                if r.RequestURI == "/" {
                        Redirect(w, r, "http://secondhost.fake/secondpath", 302)
                }
-       }))
-       defer ts.Close()
+       })).ts
        jar := new(RecordingJar)
-       c := &Client{
-               Jar: jar,
-               Transport: &Transport{
-                       Dial: func(_ string, _ string) (net.Conn, error) {
-                               return net.Dial("tcp", ts.Listener.Addr().String())
-                       },
-               },
+       c := ts.Client()
+       c.Jar = jar
+       c.Transport.(*Transport).Dial = func(_ string, _ string) (net.Conn, error) {
+               return net.Dial("tcp", ts.Listener.Addr().String())
        }
        _, err := c.Get("http://firsthost.fake/")
        if err != nil {
@@ -719,26 +726,22 @@ func (j *RecordingJar) Cookies(u *url.URL) []*Cookie {
        return nil
 }
 
-func (j *RecordingJar) logf(format string, args ...interface{}) {
+func (j *RecordingJar) logf(format string, args ...any) {
        j.mu.Lock()
        defer j.mu.Unlock()
        fmt.Fprintf(&j.log, format, args...)
 }
 
-func TestStreamingGet_h1(t *testing.T) { testStreamingGet(t, h1Mode) }
-func TestStreamingGet_h2(t *testing.T) { testStreamingGet(t, h2Mode) }
-
-func testStreamingGet(t *testing.T, h2 bool) {
-       defer afterTest(t)
+func TestStreamingGet(t *testing.T) { run(t, testStreamingGet) }
+func testStreamingGet(t *testing.T, mode testMode) {
        say := make(chan string)
-       cst := newClientServerTest(t, h2, HandlerFunc(func(w ResponseWriter, r *Request) {
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                w.(Flusher).Flush()
                for str := range say {
                        w.Write([]byte(str))
                        w.(Flusher).Flush()
                }
        }))
-       defer cst.close()
 
        c := cst.c
        res, err := c.Get(cst.ts.URL)
@@ -779,11 +782,10 @@ func (c *writeCountingConn) Write(p []byte) (int, error) {
 
 // TestClientWrites verifies that client requests are buffered and we
 // don't send a TCP packet per line of the http request + body.
-func TestClientWrites(t *testing.T) {
-       defer afterTest(t)
-       ts := httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
-       }))
-       defer ts.Close()
+func TestClientWrites(t *testing.T) { run(t, testClientWrites, []testMode{http1Mode}) }
+func testClientWrites(t *testing.T, mode testMode) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+       })).ts
 
        writes := 0
        dialer := func(netz string, addr string) (net.Conn, error) {
@@ -793,7 +795,8 @@ func TestClientWrites(t *testing.T) {
                }
                return c, err
        }
-       c := &Client{Transport: &Transport{Dial: dialer}}
+       c := ts.Client()
+       c.Transport.(*Transport).Dial = dialer
 
        _, err := c.Get(ts.URL)
        if err != nil {
@@ -814,26 +817,24 @@ func TestClientWrites(t *testing.T) {
 }
 
 func TestClientInsecureTransport(t *testing.T) {
-       setParallel(t)
-       defer afterTest(t)
-       ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       run(t, testClientInsecureTransport, []testMode{https1Mode, http2Mode})
+}
+func testClientInsecureTransport(t *testing.T, mode testMode) {
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                w.Write([]byte("Hello"))
        }))
-       errc := make(chanWriter, 10) // but only expecting 1
-       ts.Config.ErrorLog = log.New(errc, "", 0)
-       defer ts.Close()
+       ts := cst.ts
+       errLog := new(strings.Builder)
+       ts.Config.ErrorLog = log.New(errLog, "", 0)
 
        // TODO(bradfitz): add tests for skipping hostname checks too?
        // would require a new cert for testing, and probably
        // redundant with these tests.
+       c := ts.Client()
        for _, insecure := range []bool{true, false} {
-               tr := &Transport{
-                       TLSClientConfig: &tls.Config{
-                               InsecureSkipVerify: insecure,
-                       },
+               c.Transport.(*Transport).TLSClientConfig = &tls.Config{
+                       InsecureSkipVerify: insecure,
                }
-               defer tr.CloseIdleConnections()
-               c := &Client{Transport: tr}
                res, err := c.Get(ts.URL)
                if (err == nil) != insecure {
                        t.Errorf("insecure=%v: got unexpected err=%v", insecure, err)
@@ -843,15 +844,10 @@ func TestClientInsecureTransport(t *testing.T) {
                }
        }
 
-       select {
-       case v := <-errc:
-               if !strings.Contains(v, "TLS handshake error") {
-                       t.Errorf("expected an error log message containing 'TLS handshake error'; got %q", v)
-               }
-       case <-time.After(5 * time.Second):
-               t.Errorf("timeout waiting for logged error")
+       cst.close()
+       if !strings.Contains(errLog.String(), "TLS handshake error") {
+               t.Errorf("expected an error log message containing 'TLS handshake error'; got %q", errLog)
        }
-
 }
 
 func TestClientErrorWithRequestURI(t *testing.T) {
@@ -867,51 +863,35 @@ func TestClientErrorWithRequestURI(t *testing.T) {
        }
 }
 
-func newTLSTransport(t *testing.T, ts *httptest.Server) *Transport {
-       certs := x509.NewCertPool()
-       for _, c := range ts.TLS.Certificates {
-               roots, err := x509.ParseCertificates(c.Certificate[len(c.Certificate)-1])
-               if err != nil {
-                       t.Fatalf("error parsing server's root cert: %v", err)
-               }
-               for _, root := range roots {
-                       certs.AddCert(root)
-               }
-       }
-       return &Transport{
-               TLSClientConfig: &tls.Config{RootCAs: certs},
-       }
-}
-
 func TestClientWithCorrectTLSServerName(t *testing.T) {
-       defer afterTest(t)
-
+       run(t, testClientWithCorrectTLSServerName, []testMode{https1Mode, http2Mode})
+}
+func testClientWithCorrectTLSServerName(t *testing.T, mode testMode) {
        const serverName = "example.com"
-       ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                if r.TLS.ServerName != serverName {
                        t.Errorf("expected client to set ServerName %q, got: %q", serverName, r.TLS.ServerName)
                }
-       }))
-       defer ts.Close()
+       })).ts
 
-       trans := newTLSTransport(t, ts)
-       trans.TLSClientConfig.ServerName = serverName
-       c := &Client{Transport: trans}
+       c := ts.Client()
+       c.Transport.(*Transport).TLSClientConfig.ServerName = serverName
        if _, err := c.Get(ts.URL); err != nil {
                t.Fatalf("expected successful TLS connection, got error: %v", err)
        }
 }
 
 func TestClientWithIncorrectTLSServerName(t *testing.T) {
-       defer afterTest(t)
-       ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {}))
-       defer ts.Close()
-       errc := make(chanWriter, 10) // but only expecting 1
-       ts.Config.ErrorLog = log.New(errc, "", 0)
-
-       trans := newTLSTransport(t, ts)
-       trans.TLSClientConfig.ServerName = "badserver"
-       c := &Client{Transport: trans}
+       run(t, testClientWithIncorrectTLSServerName, []testMode{https1Mode, http2Mode})
+}
+func testClientWithIncorrectTLSServerName(t *testing.T, mode testMode) {
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {}))
+       ts := cst.ts
+       errLog := new(strings.Builder)
+       ts.Config.ErrorLog = log.New(errLog, "", 0)
+
+       c := ts.Client()
+       c.Transport.(*Transport).TLSClientConfig.ServerName = "badserver"
        _, err := c.Get(ts.URL)
        if err == nil {
                t.Fatalf("expected an error")
@@ -919,13 +899,10 @@ func TestClientWithIncorrectTLSServerName(t *testing.T) {
        if !strings.Contains(err.Error(), "127.0.0.1") || !strings.Contains(err.Error(), "badserver") {
                t.Errorf("wanted error mentioning 127.0.0.1 and badserver; got error: %v", err)
        }
-       select {
-       case v := <-errc:
-               if !strings.Contains(v, "TLS handshake error") {
-                       t.Errorf("expected an error log message containing 'TLS handshake error'; got %q", v)
-               }
-       case <-time.After(5 * time.Second):
-               t.Errorf("timeout waiting for logged error")
+
+       cst.close()
+       if !strings.Contains(errLog.String(), "TLS handshake error") {
+               t.Errorf("expected an error log message containing 'TLS handshake error'; got %q", errLog)
        }
 }
 
@@ -939,19 +916,19 @@ func TestClientWithIncorrectTLSServerName(t *testing.T) {
 //
 // The httptest.Server has a cert with "example.com" as its name.
 func TestTransportUsesTLSConfigServerName(t *testing.T) {
-       defer afterTest(t)
-       ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       run(t, testTransportUsesTLSConfigServerName, []testMode{https1Mode, http2Mode})
+}
+func testTransportUsesTLSConfigServerName(t *testing.T, mode testMode) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                w.Write([]byte("Hello"))
-       }))
-       defer ts.Close()
+       })).ts
 
-       tr := newTLSTransport(t, ts)
+       c := ts.Client()
+       tr := c.Transport.(*Transport)
        tr.TLSClientConfig.ServerName = "example.com" // one of httptest's Server cert names
        tr.Dial = func(netw, addr string) (net.Conn, error) {
                return net.Dial(netw, ts.Listener.Addr().String())
        }
-       defer tr.CloseIdleConnections()
-       c := &Client{Transport: tr}
        res, err := c.Get("https://some-other-host.tld/")
        if err != nil {
                t.Fatal(err)
@@ -960,19 +937,20 @@ func TestTransportUsesTLSConfigServerName(t *testing.T) {
 }
 
 func TestResponseSetsTLSConnectionState(t *testing.T) {
-       defer afterTest(t)
-       ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       run(t, testResponseSetsTLSConnectionState, []testMode{https1Mode})
+}
+func testResponseSetsTLSConnectionState(t *testing.T, mode testMode) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                w.Write([]byte("Hello"))
-       }))
-       defer ts.Close()
+       })).ts
 
-       tr := newTLSTransport(t, ts)
-       tr.TLSClientConfig.CipherSuites = []uint16{tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA}
+       c := ts.Client()
+       tr := c.Transport.(*Transport)
+       tr.TLSClientConfig.CipherSuites = []uint16{tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA}
+       tr.TLSClientConfig.MaxVersion = tls.VersionTLS12 // to get to pick the cipher suite
        tr.Dial = func(netw, addr string) (net.Conn, error) {
                return net.Dial(netw, ts.Listener.Addr().String())
        }
-       defer tr.CloseIdleConnections()
-       c := &Client{Transport: tr}
        res, err := c.Get("https://example.com/")
        if err != nil {
                t.Fatal(err)
@@ -981,7 +959,7 @@ func TestResponseSetsTLSConnectionState(t *testing.T) {
        if res.TLS == nil {
                t.Fatal("Response didn't set TLS Connection State.")
        }
-       if got, want := res.TLS.CipherSuite, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA; got != want {
+       if got, want := res.TLS.CipherSuite, tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA; got != want {
                t.Errorf("TLS Cipher Suite = %d; want %d", got, want)
        }
 }
@@ -990,9 +968,11 @@ func TestResponseSetsTLSConnectionState(t *testing.T) {
 // to determine that the server is speaking HTTP.
 // See golang.org/issue/11111.
 func TestHTTPSClientDetectsHTTPServer(t *testing.T) {
-       defer afterTest(t)
-       ts := httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {}))
-       defer ts.Close()
+       run(t, testHTTPSClientDetectsHTTPServer, []testMode{http1Mode})
+}
+func testHTTPSClientDetectsHTTPServer(t *testing.T, mode testMode) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {})).ts
+       ts.Config.ErrorLog = quietLog
 
        _, err := Get(strings.Replace(ts.URL, "http", "https", 1))
        if got := err.Error(); !strings.Contains(got, "HTTP response to HTTPS client") {
@@ -1001,22 +981,13 @@ func TestHTTPSClientDetectsHTTPServer(t *testing.T) {
 }
 
 // Verify Response.ContentLength is populated. https://golang.org/issue/4126
-func TestClientHeadContentLength_h1(t *testing.T) {
-       testClientHeadContentLength(t, h1Mode)
-}
-
-func TestClientHeadContentLength_h2(t *testing.T) {
-       testClientHeadContentLength(t, h2Mode)
-}
-
-func testClientHeadContentLength(t *testing.T, h2 bool) {
-       defer afterTest(t)
-       cst := newClientServerTest(t, h2, HandlerFunc(func(w ResponseWriter, r *Request) {
+func TestClientHeadContentLength(t *testing.T) { run(t, testClientHeadContentLength) }
+func testClientHeadContentLength(t *testing.T, mode testMode) {
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                if v := r.FormValue("cl"); v != "" {
                        w.Header().Set("Content-Length", v)
                }
        }))
-       defer cst.close()
        tests := []struct {
                suffix string
                want   int64
@@ -1034,7 +1005,7 @@ func testClientHeadContentLength(t *testing.T, h2 bool) {
                if res.ContentLength != tt.want {
                        t.Errorf("Content-Length = %d; want %d", res.ContentLength, tt.want)
                }
-               bs, err := ioutil.ReadAll(res.Body)
+               bs, err := io.ReadAll(res.Body)
                if err != nil {
                        t.Fatal(err)
                }
@@ -1044,10 +1015,10 @@ func testClientHeadContentLength(t *testing.T, h2 bool) {
        }
 }
 
-func TestEmptyPasswordAuth(t *testing.T) {
-       defer afterTest(t)
+func TestEmptyPasswordAuth(t *testing.T) { run(t, testEmptyPasswordAuth) }
+func testEmptyPasswordAuth(t *testing.T, mode testMode) {
        gopher := "gopher"
-       ts := httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                auth := r.Header.Get("Authorization")
                if strings.HasPrefix(auth, "Basic ") {
                        encoded := auth[6:]
@@ -1063,14 +1034,14 @@ func TestEmptyPasswordAuth(t *testing.T) {
                } else {
                        t.Errorf("Invalid auth %q", auth)
                }
-       }))
+       })).ts
        defer ts.Close()
-       c := &Client{}
        req, err := NewRequest("GET", ts.URL, nil)
        if err != nil {
                t.Fatal(err)
        }
        req.URL.User = url.User(gopher)
+       c := ts.Client()
        resp, err := c.Do(req)
        if err != nil {
                t.Fatal(err)
@@ -1153,63 +1124,122 @@ func TestBasicAuthHeadersPreserved(t *testing.T) {
 
 }
 
-func TestClientTimeout_h1(t *testing.T) { testClientTimeout(t, h1Mode) }
-func TestClientTimeout_h2(t *testing.T) { testClientTimeout(t, h2Mode) }
-
-func testClientTimeout(t *testing.T, h2 bool) {
-       if testing.Short() {
-               t.Skip("skipping in short mode")
+func TestStripPasswordFromError(t *testing.T) {
+       client := &Client{Transport: &recordingTransport{}}
+       testCases := []struct {
+               desc string
+               in   string
+               out  string
+       }{
+               {
+                       desc: "Strip password from error message",
+                       in:   "http://user:password@dummy.faketld/",
+                       out:  `Get "http://user:***@dummy.faketld/": dummy impl`,
+               },
+               {
+                       desc: "Don't Strip password from domain name",
+                       in:   "http://user:password@password.faketld/",
+                       out:  `Get "http://user:***@password.faketld/": dummy impl`,
+               },
+               {
+                       desc: "Don't Strip password from path",
+                       in:   "http://user:password@dummy.faketld/password",
+                       out:  `Get "http://user:***@dummy.faketld/password": dummy impl`,
+               },
+               {
+                       desc: "Strip escaped password",
+                       in:   "http://user:pa%2Fssword@dummy.faketld/",
+                       out:  `Get "http://user:***@dummy.faketld/": dummy impl`,
+               },
        }
-       defer afterTest(t)
-       sawRoot := make(chan bool, 1)
-       sawSlow := make(chan bool, 1)
-       cst := newClientServerTest(t, h2, HandlerFunc(func(w ResponseWriter, r *Request) {
+       for _, tC := range testCases {
+               t.Run(tC.desc, func(t *testing.T) {
+                       _, err := client.Get(tC.in)
+                       if err.Error() != tC.out {
+                               t.Errorf("Unexpected output for %q: expected %q, actual %q",
+                                       tC.in, tC.out, err.Error())
+                       }
+               })
+       }
+}
+
+func TestClientTimeout(t *testing.T) { run(t, testClientTimeout) }
+func testClientTimeout(t *testing.T, mode testMode) {
+       var (
+               mu           sync.Mutex
+               nonce        string // a unique per-request string
+               sawSlowNonce bool   // true if the handler saw /slow?nonce=<nonce>
+       )
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+               _ = r.ParseForm()
                if r.URL.Path == "/" {
-                       sawRoot <- true
-                       Redirect(w, r, "/slow", StatusFound)
+                       Redirect(w, r, "/slow?nonce="+r.Form.Get("nonce"), StatusFound)
                        return
                }
                if r.URL.Path == "/slow" {
+                       mu.Lock()
+                       if r.Form.Get("nonce") == nonce {
+                               sawSlowNonce = true
+                       } else {
+                               t.Logf("mismatched nonce: received %s, want %s", r.Form.Get("nonce"), nonce)
+                       }
+                       mu.Unlock()
+
                        w.Write([]byte("Hello"))
                        w.(Flusher).Flush()
-                       sawSlow <- true
-                       time.Sleep(2 * time.Second)
+                       <-r.Context().Done()
                        return
                }
        }))
-       defer cst.close()
-       const timeout = 500 * time.Millisecond
-       cst.c.Timeout = timeout
 
-       res, err := cst.c.Get(cst.ts.URL)
-       if err != nil {
-               t.Fatal(err)
-       }
-
-       select {
-       case <-sawRoot:
-               // good.
-       default:
-               t.Fatal("handler never got / request")
-       }
+       // Try to trigger a timeout after reading part of the response body.
+       // The initial timeout is empirically usually long enough on a decently fast
+       // machine, but if we undershoot we'll retry with exponentially longer
+       // timeouts until the test either passes or times out completely.
+       // This keeps the test reasonably fast in the typical case but allows it to
+       // also eventually succeed on arbitrarily slow machines.
+       timeout := 10 * time.Millisecond
+       nextNonce := 0
+       for ; ; timeout *= 2 {
+               if timeout <= 0 {
+                       // The only way we can feasibly hit this while the test is running is if
+                       // the request fails without actually waiting for the timeout to occur.
+                       t.Fatalf("timeout overflow")
+               }
+               if deadline, ok := t.Deadline(); ok && !time.Now().Add(timeout).Before(deadline) {
+                       t.Fatalf("failed to produce expected timeout before test deadline")
+               }
+               t.Logf("attempting test with timeout %v", timeout)
+               cst.c.Timeout = timeout
+
+               mu.Lock()
+               nonce = fmt.Sprint(nextNonce)
+               nextNonce++
+               sawSlowNonce = false
+               mu.Unlock()
+               res, err := cst.c.Get(cst.ts.URL + "/?nonce=" + nonce)
+               if err != nil {
+                       if strings.Contains(err.Error(), "Client.Timeout") {
+                               // Timed out before handler could respond.
+                               t.Logf("timeout before response received")
+                               continue
+                       }
+                       if runtime.GOOS == "windows" && strings.HasPrefix(runtime.GOARCH, "arm") {
+                               testenv.SkipFlaky(t, 43120)
+                       }
+                       t.Fatal(err)
+               }
 
-       select {
-       case <-sawSlow:
-               // good.
-       default:
-               t.Fatal("handler never got /slow request")
-       }
+               mu.Lock()
+               ok := sawSlowNonce
+               mu.Unlock()
+               if !ok {
+                       t.Fatal("handler never got /slow request, but client returned response")
+               }
 
-       errc := make(chan error, 1)
-       go func() {
-               _, err := ioutil.ReadAll(res.Body)
-               errc <- err
+               _, err = io.ReadAll(res.Body)
                res.Body.Close()
-       }()
 
-       const failTime = timeout * 2
-       select {
-       case err := <-errc:
                if err == nil {
                        t.Fatal("expected error from ReadAll")
                }
@@ -1219,28 +1249,24 @@ func testClientTimeout(t *testing.T, h2 bool) {
                } else if !ne.Timeout() {
                        t.Errorf("net.Error.Timeout = false; want true")
                }
-               if got := ne.Error(); !strings.Contains(got, "Client.Timeout exceeded") {
+               if got := ne.Error(); !strings.Contains(got, "(Client.Timeout") {
+                       if runtime.GOOS == "windows" && strings.HasPrefix(runtime.GOARCH, "arm") {
+                               testenv.SkipFlaky(t, 43120)
+                       }
                        t.Errorf("error string = %q; missing timeout substring", got)
                }
-       case <-time.After(failTime):
-               t.Errorf("timeout after %v waiting for timeout of %v", failTime, timeout)
+
+               break
        }
 }
 
-func TestClientTimeout_Headers_h1(t *testing.T) { testClientTimeout_Headers(t, h1Mode) }
-func TestClientTimeout_Headers_h2(t *testing.T) { testClientTimeout_Headers(t, h2Mode) }
-
 // Client.Timeout firing before getting to the body
-func testClientTimeout_Headers(t *testing.T, h2 bool) {
-       if testing.Short() {
-               t.Skip("skipping in short mode")
-       }
-       defer afterTest(t)
-       donec := make(chan bool)
-       cst := newClientServerTest(t, h2, HandlerFunc(func(w ResponseWriter, r *Request) {
+func TestClientTimeout_Headers(t *testing.T) { run(t, testClientTimeout_Headers) }
+func testClientTimeout_Headers(t *testing.T, mode testMode) {
+       donec := make(chan bool, 1)
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                <-donec
-       }))
-       defer cst.close()
+       }), optQuietLog)
        // Note that we use a channel send here and not a close.
        // The race detector doesn't know that we're waiting for a timeout
        // and thinks that the waitgroup inside httptest.Server is added to concurrently
@@ -1250,9 +1276,10 @@ func testClientTimeout_Headers(t *testing.T, h2 bool) {
        // doesn't know this, so synchronize explicitly.
        defer func() { donec <- true }()
 
-       cst.c.Timeout = 500 * time.Millisecond
-       _, err := cst.c.Get(cst.ts.URL)
+       cst.c.Timeout = 5 * time.Millisecond
+       res, err := cst.c.Get(cst.ts.URL)
        if err == nil {
+               res.Body.Close()
                t.Fatal("got response from Get; expected error")
        }
        if _, ok := err.(*url.Error); !ok {
@@ -1266,33 +1293,80 @@ func testClientTimeout_Headers(t *testing.T, h2 bool) {
                t.Error("net.Error.Timeout = false; want true")
        }
        if got := ne.Error(); !strings.Contains(got, "Client.Timeout exceeded") {
+               if runtime.GOOS == "windows" && strings.HasPrefix(runtime.GOARCH, "arm") {
+                       testenv.SkipFlaky(t, 43120)
+               }
                t.Errorf("error string = %q; missing timeout substring", got)
        }
 }
 
-func TestClientRedirectEatsBody_h1(t *testing.T) { testClientRedirectEatsBody(t, h1Mode) }
-func TestClientRedirectEatsBody_h2(t *testing.T) { testClientRedirectEatsBody(t, h2Mode) }
-func testClientRedirectEatsBody(t *testing.T, h2 bool) {
-       setParallel(t)
-       defer afterTest(t)
+// Issue 16094: if Client.Timeout is set but not hit, a Timeout error shouldn't be
+// returned.
+func TestClientTimeoutCancel(t *testing.T) { run(t, testClientTimeoutCancel) }
+func testClientTimeoutCancel(t *testing.T, mode testMode) {
+       testDone := make(chan struct{})
+       ctx, cancel := context.WithCancel(context.Background())
+
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+               w.(Flusher).Flush()
+               <-testDone
+       }))
+       defer close(testDone)
+
+       cst.c.Timeout = 1 * time.Hour
+       req, _ := NewRequest("GET", cst.ts.URL, nil)
+       req.Cancel = ctx.Done()
+       res, err := cst.c.Do(req)
+       if err != nil {
+               t.Fatal(err)
+       }
+       cancel()
+       _, err = io.Copy(io.Discard, res.Body)
+       if err != ExportErrRequestCanceled {
+               t.Fatalf("error = %v; want errRequestCanceled", err)
+       }
+}
+
+// Issue 49366: if Client.Timeout is set but not hit, no error should be returned.
+func TestClientTimeoutDoesNotExpire(t *testing.T) { run(t, testClientTimeoutDoesNotExpire) }
+func testClientTimeoutDoesNotExpire(t *testing.T, mode testMode) {
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+               w.Write([]byte("body"))
+       }))
+
+       cst.c.Timeout = 1 * time.Hour
+       req, _ := NewRequest("GET", cst.ts.URL, nil)
+       res, err := cst.c.Do(req)
+       if err != nil {
+               t.Fatal(err)
+       }
+       if _, err = io.Copy(io.Discard, res.Body); err != nil {
+               t.Fatalf("io.Copy(io.Discard, res.Body) = %v, want nil", err)
+       }
+       if err = res.Body.Close(); err != nil {
+               t.Fatalf("res.Body.Close() = %v, want nil", err)
+       }
+}
+
+func TestClientRedirectEatsBody_h1(t *testing.T) { run(t, testClientRedirectEatsBody) }
+func testClientRedirectEatsBody(t *testing.T, mode testMode) {
        saw := make(chan string, 2)
-       cst := newClientServerTest(t, h2, HandlerFunc(func(w ResponseWriter, r *Request) {
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                saw <- r.RemoteAddr
                if r.URL.Path == "/" {
                        Redirect(w, r, "/foo", StatusFound) // which includes a body
                }
        }))
-       defer cst.close()
 
        res, err := cst.c.Get(cst.ts.URL)
        if err != nil {
                t.Fatal(err)
        }
-       _, err = ioutil.ReadAll(res.Body)
+       _, err = io.ReadAll(res.Body)
+       res.Body.Close()
        if err != nil {
                t.Fatal(err)
        }
-       res.Body.Close()
 
        var first string
        select {
@@ -1323,24 +1397,32 @@ func (f eofReaderFunc) Read(p []byte) (n int, err error) {
 
 func TestReferer(t *testing.T) {
        tests := []struct {
-               lastReq, newReq string // from -> to URLs
-               want            string
+               lastReq, newReq, explicitRef string // from -> to URLs, explicitly set Referer value
+               want                         string
        }{
                // don't send user:
-               {"http://gopher@test.com", "http://link.com", "http://test.com"},
-               {"https://gopher@test.com", "https://link.com", "https://test.com"},
+               {lastReq: "http://gopher@test.com", newReq: "http://link.com", want: "http://test.com"},
+               {lastReq: "https://gopher@test.com", newReq: "https://link.com", want: "https://test.com"},
 
                // don't send a user and password:
-               {"http://gopher:go@test.com", "http://link.com", "http://test.com"},
-               {"https://gopher:go@test.com", "https://link.com", "https://test.com"},
+               {lastReq: "http://gopher:go@test.com", newReq: "http://link.com", want: "http://test.com"},
+               {lastReq: "https://gopher:go@test.com", newReq: "https://link.com", want: "https://test.com"},
 
                // nothing to do:
-               {"http://test.com", "http://link.com", "http://test.com"},
-               {"https://test.com", "https://link.com", "https://test.com"},
+               {lastReq: "http://test.com", newReq: "http://link.com", want: "http://test.com"},
+               {lastReq: "https://test.com", newReq: "https://link.com", want: "https://test.com"},
 
                // https to http doesn't send a referer:
-               {"https://test.com", "http://link.com", ""},
-               {"https://gopher:go@test.com", "http://link.com", ""},
+               {lastReq: "https://test.com", newReq: "http://link.com", want: ""},
+               {lastReq: "https://gopher:go@test.com", newReq: "http://link.com", want: ""},
+
+               // https to http should remove an existing referer:
+               {lastReq: "https://test.com", newReq: "http://link.com", explicitRef: "https://foo.com", want: ""},
+               {lastReq: "https://gopher:go@test.com", newReq: "http://link.com", explicitRef: "https://foo.com", want: ""},
+
+               // don't override an existing referer:
+               {lastReq: "https://test.com", newReq: "https://link.com", explicitRef: "https://foo.com", want: "https://foo.com"},
+               {lastReq: "https://gopher:go@test.com", newReq: "https://link.com", explicitRef: "https://foo.com", want: "https://foo.com"},
        }
        for _, tt := range tests {
                l, err := url.Parse(tt.lastReq)
@@ -1351,7 +1433,7 @@ func TestReferer(t *testing.T) {
                if err != nil {
                        t.Fatal(err)
                }
-               r := ExportRefererForURL(l, n)
+               r := ExportRefererForURL(l, n, tt.explicitRef)
                if r != tt.want {
                        t.Errorf("refererForURL(%q, %q) = %q; want %q", tt.lastReq, tt.newReq, r, tt.want)
                }
@@ -1366,7 +1448,7 @@ func (issue15577Tripper) RoundTrip(*Request) (*Response, error) {
        resp := &Response{
                StatusCode: 303,
                Header:     map[string][]string{"Location": {"http://www.example.com/"}},
-               Body:       ioutil.NopCloser(strings.NewReader("")),
+               Body:       io.NopCloser(strings.NewReader("")),
        }
        return resp, nil
 }
@@ -1381,19 +1463,25 @@ func TestClientRedirectResponseWithoutRequest(t *testing.T) {
        c.Get("http://dummy.tld")
 }
 
-// Issue 4800: copy (some) headers when Client follows a redirect
-func TestClientCopyHeadersOnRedirect(t *testing.T) {
+// Issue 4800: copy (some) headers when Client follows a redirect.
+// Issue 35104: Since both URLs have the same host (localhost)
+// but different ports, sensitive headers like Cookie and Authorization
+// are preserved.
+func TestClientCopyHeadersOnRedirect(t *testing.T) { run(t, testClientCopyHeadersOnRedirect) }
+func testClientCopyHeadersOnRedirect(t *testing.T, mode testMode) {
        const (
                ua   = "some-agent/1.2"
                xfoo = "foo-val"
        )
        var ts2URL string
-       ts1 := httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       ts1 := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                want := Header{
                        "User-Agent":      []string{ua},
                        "X-Foo":           []string{xfoo},
                        "Referer":         []string{ts2URL},
                        "Accept-Encoding": []string{"gzip"},
+                       "Cookie":          []string{"foo=bar"},
+                       "Authorization":   []string{"secretpassword"},
                }
                if !reflect.DeepEqual(r.Header, want) {
                        t.Errorf("Request.Header = %#v; want %#v", r.Header, want)
@@ -1403,29 +1491,25 @@ func TestClientCopyHeadersOnRedirect(t *testing.T) {
                } else {
                        w.Header().Set("Result", "ok")
                }
-       }))
-       defer ts1.Close()
-       ts2 := httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       })).ts
+       ts2 := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                Redirect(w, r, ts1.URL, StatusFound)
-       }))
-       defer ts2.Close()
+       })).ts
        ts2URL = ts2.URL
 
-       tr := &Transport{}
-       defer tr.CloseIdleConnections()
-       c := &Client{
-               Transport: tr,
-               CheckRedirect: func(r *Request, via []*Request) error {
-                       want := Header{
-                               "User-Agent": []string{ua},
-                               "X-Foo":      []string{xfoo},
-                               "Referer":    []string{ts2URL},
-                       }
-                       if !reflect.DeepEqual(r.Header, want) {
-                               t.Errorf("CheckRedirect Request.Header = %#v; want %#v", r.Header, want)
-                       }
-                       return nil
-               },
+       c := ts1.Client()
+       c.CheckRedirect = func(r *Request, via []*Request) error {
+               want := Header{
+                       "User-Agent":    []string{ua},
+                       "X-Foo":         []string{xfoo},
+                       "Referer":       []string{ts2URL},
+                       "Cookie":        []string{"foo=bar"},
+                       "Authorization": []string{"secretpassword"},
+               }
+               if !reflect.DeepEqual(r.Header, want) {
+                       t.Errorf("CheckRedirect Request.Header = %#v; want %#v", r.Header, want)
+               }
+               return nil
        }
 
        req, _ := NewRequest("GET", ts2.URL, nil)
@@ -1446,8 +1530,81 @@ func TestClientCopyHeadersOnRedirect(t *testing.T) {
        }
 }
 
+// Issue 22233: copy host when Client follows a relative redirect.
+func TestClientCopyHostOnRedirect(t *testing.T) { run(t, testClientCopyHostOnRedirect) }
+func testClientCopyHostOnRedirect(t *testing.T, mode testMode) {
+       // Virtual hostname: should not receive any request.
+       virtual := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+               t.Errorf("Virtual host received request %v", r.URL)
+               w.WriteHeader(403)
+               io.WriteString(w, "should not see this response")
+       })).ts
+       defer virtual.Close()
+       virtualHost := strings.TrimPrefix(virtual.URL, "http://")
+       virtualHost = strings.TrimPrefix(virtualHost, "https://")
+       t.Logf("Virtual host is %v", virtualHost)
+
+       // Actual hostname: should not receive any request.
+       const wantBody = "response body"
+       var tsURL string
+       var tsHost string
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+               switch r.URL.Path {
+               case "/":
+                       // Relative redirect.
+                       if r.Host != virtualHost {
+                               t.Errorf("Serving /: Request.Host = %#v; want %#v", r.Host, virtualHost)
+                               w.WriteHeader(404)
+                               return
+                       }
+                       w.Header().Set("Location", "/hop")
+                       w.WriteHeader(302)
+               case "/hop":
+                       // Absolute redirect.
+                       if r.Host != virtualHost {
+                               t.Errorf("Serving /hop: Request.Host = %#v; want %#v", r.Host, virtualHost)
+                               w.WriteHeader(404)
+                               return
+                       }
+                       w.Header().Set("Location", tsURL+"/final")
+                       w.WriteHeader(302)
+               case "/final":
+                       if r.Host != tsHost {
+                               t.Errorf("Serving /final: Request.Host = %#v; want %#v", r.Host, tsHost)
+                               w.WriteHeader(404)
+                               return
+                       }
+                       w.WriteHeader(200)
+                       io.WriteString(w, wantBody)
+               default:
+                       t.Errorf("Serving unexpected path %q", r.URL.Path)
+                       w.WriteHeader(404)
+               }
+       })).ts
+       tsURL = ts.URL
+       tsHost = strings.TrimPrefix(ts.URL, "http://")
+       tsHost = strings.TrimPrefix(tsHost, "https://")
+       t.Logf("Server host is %v", tsHost)
+
+       c := ts.Client()
+       req, _ := NewRequest("GET", ts.URL, nil)
+       req.Host = virtualHost
+       resp, err := c.Do(req)
+       if err != nil {
+               t.Fatal(err)
+       }
+       defer resp.Body.Close()
+       if resp.StatusCode != 200 {
+               t.Fatal(resp.Status)
+       }
+       if got, err := io.ReadAll(resp.Body); err != nil || string(got) != wantBody {
+               t.Errorf("body = %q; want %q", got, wantBody)
+       }
+}
+
 // Issue 17494: cookies should be altered when Client follows redirects.
-func TestClientAltersCookiesOnRedirect(t *testing.T) {
+func TestClientAltersCookiesOnRedirect(t *testing.T) { run(t, testClientAltersCookiesOnRedirect) }
+func testClientAltersCookiesOnRedirect(t *testing.T, mode testMode) {
        cookieMap := func(cs []*Cookie) map[string][]string {
                m := make(map[string][]string)
                for _, c := range cs {
@@ -1456,7 +1613,7 @@ func TestClientAltersCookiesOnRedirect(t *testing.T) {
                return m
        }
 
-       ts := httptest.NewServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
                var want map[string][]string
                got := cookieMap(r.Cookies())
 
@@ -1511,16 +1668,11 @@ func TestClientAltersCookiesOnRedirect(t *testing.T) {
                if !reflect.DeepEqual(got, want) {
                        t.Errorf("redirect %s, Cookie = %v, want %v", c.Value, got, want)
                }
-       }))
-       defer ts.Close()
+       })).ts
 
-       tr := &Transport{}
-       defer tr.CloseIdleConnections()
        jar, _ := cookiejar.New(nil)
-       c := &Client{
-               Transport: tr,
-               Jar:       jar,
-       }
+       c := ts.Client()
+       c.Jar = jar
 
        u, _ := url.Parse(ts.URL)
        req, _ := NewRequest("GET", ts.URL, nil)
@@ -1556,14 +1708,30 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
                {"cookie", "http://foo.com/", "http://bar.com/", false},
                {"cookie2", "http://foo.com/", "http://bar.com/", false},
                {"authorization", "http://foo.com/", "http://bar.com/", false},
+               {"authorization", "http://foo.com/", "https://foo.com/", true},
+               {"authorization", "http://foo.com:1234/", "http://foo.com:4321/", true},
                {"www-authenticate", "http://foo.com/", "http://bar.com/", false},
 
                // But subdomains should work:
                {"www-authenticate", "http://foo.com/", "http://foo.com/", true},
                {"www-authenticate", "http://foo.com/", "http://sub.foo.com/", true},
                {"www-authenticate", "http://foo.com/", "http://notfoo.com/", false},
-               // TODO(bradfitz): make this test work, once issue 16142 is fixed:
-               // {"www-authenticate", "http://foo.com:80/", "http://foo.com/", true},
+               {"www-authenticate", "http://foo.com/", "https://foo.com/", true},
+               {"www-authenticate", "http://foo.com:80/", "http://foo.com/", true},
+               {"www-authenticate", "http://foo.com:80/", "http://sub.foo.com/", true},
+               {"www-authenticate", "http://foo.com:443/", "https://foo.com/", true},
+               {"www-authenticate", "http://foo.com:443/", "https://sub.foo.com/", true},
+               {"www-authenticate", "http://foo.com:1234/", "http://foo.com/", true},
+
+               {"authorization", "http://foo.com/", "http://foo.com/", true},
+               {"authorization", "http://foo.com/", "http://sub.foo.com/", true},
+               {"authorization", "http://foo.com/", "http://notfoo.com/", false},
+               {"authorization", "http://foo.com/", "https://foo.com/", true},
+               {"authorization", "http://foo.com:80/", "http://foo.com/", true},
+               {"authorization", "http://foo.com:80/", "http://sub.foo.com/", true},
+               {"authorization", "http://foo.com:443/", "https://foo.com/", true},
+               {"authorization", "http://foo.com:443/", "https://sub.foo.com/", true},
+               {"authorization", "http://foo.com:1234/", "http://foo.com/", true},
        }
        for i, tt := range tests {
                u0, err := url.Parse(tt.initialURL)
@@ -1584,10 +1752,8 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
        }
 }
 
-func TestClientRedirectTypes(t *testing.T) {
-       setParallel(t)
-       defer afterTest(t)
-
+func TestClientRedirectTypes(t *testing.T) { run(t, testClientRedirectTypes) }
+func testClientRedirectTypes(t *testing.T, mode testMode) {
        tests := [...]struct {
                method       string
                serverStatus int
@@ -1599,9 +1765,9 @@ func TestClientRedirectTypes(t *testing.T) {
                3: {method: "POST", serverStatus: 307, wantMethod: "POST"},
                4: {method: "POST", serverStatus: 308, wantMethod: "POST"},
 
-               5: {method: "HEAD", serverStatus: 301, wantMethod: "GET"},
-               6: {method: "HEAD", serverStatus: 302, wantMethod: "GET"},
-               7: {method: "HEAD", serverStatus: 303, wantMethod: "GET"},
+               5: {method: "HEAD", serverStatus: 301, wantMethod: "HEAD"},
+               6: {method: "HEAD", serverStatus: 302, wantMethod: "HEAD"},
+               7: {method: "HEAD", serverStatus: 303, wantMethod: "HEAD"},
                8: {method: "HEAD", serverStatus: 307, wantMethod: "HEAD"},
                9: {method: "HEAD", serverStatus: 308, wantMethod: "HEAD"},
 
@@ -1632,12 +1798,12 @@ func TestClientRedirectTypes(t *testing.T) {
 
        handlerc := make(chan HandlerFunc, 1)
 
-       ts := httptest.NewServer(HandlerFunc(func(rw ResponseWriter, req *Request) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(rw ResponseWriter, req *Request) {
                h := <-handlerc
                h(rw, req)
-       }))
-       defer ts.Close()
+       })).ts
 
+       c := ts.Client()
        for i, tt := range tests {
                handlerc <- func(w ResponseWriter, r *Request) {
                        w.Header().Set("Location", ts.URL)
@@ -1650,7 +1816,6 @@ func TestClientRedirectTypes(t *testing.T) {
                        continue
                }
 
-               c := &Client{}
                c.CheckRedirect = func(req *Request, via []*Request) error {
                        if got, want := req.Method, tt.wantMethod; got != want {
                                return fmt.Errorf("#%d: got next method %q; want %q", i, got, want)
@@ -1670,3 +1835,295 @@ func TestClientRedirectTypes(t *testing.T) {
                res.Body.Close()
        }
 }
+
+// issue18239Body is an io.ReadCloser for TestTransportBodyReadError.
+// Its Read returns readErr and increments *readCalls atomically.
+// Its Close returns nil and increments *closeCalls atomically.
+type issue18239Body struct {
+       readCalls  *int32
+       closeCalls *int32
+       readErr    error
+}
+
+func (b issue18239Body) Read([]byte) (int, error) {
+       atomic.AddInt32(b.readCalls, 1)
+       return 0, b.readErr
+}
+
+func (b issue18239Body) Close() error {
+       atomic.AddInt32(b.closeCalls, 1)
+       return nil
+}
+
+// Issue 18239: make sure the Transport doesn't retry requests with bodies
+// if Request.GetBody is not defined.
+func TestTransportBodyReadError(t *testing.T) { run(t, testTransportBodyReadError) }
+func testTransportBodyReadError(t *testing.T, mode testMode) {
+       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+               if r.URL.Path == "/ping" {
+                       return
+               }
+               buf := make([]byte, 1)
+               n, err := r.Body.Read(buf)
+               w.Header().Set("X-Body-Read", fmt.Sprintf("%v, %v", n, err))
+       })).ts
+       c := ts.Client()
+       tr := c.Transport.(*Transport)
+
+       // Do one initial successful request to create an idle TCP connection
+       // for the subsequent request to reuse. (The Transport only retries
+       // requests on reused connections.)
+       res, err := c.Get(ts.URL + "/ping")
+       if err != nil {
+               t.Fatal(err)
+       }
+       res.Body.Close()
+
+       var readCallsAtomic int32
+       var closeCallsAtomic int32 // atomic
+       someErr := errors.New("some body read error")
+       body := issue18239Body{&readCallsAtomic, &closeCallsAtomic, someErr}
+
+       req, err := NewRequest("POST", ts.URL, body)
+       if err != nil {
+               t.Fatal(err)
+       }
+       req = req.WithT(t)
+       _, err = tr.RoundTrip(req)
+       if err != someErr {
+               t.Errorf("Got error: %v; want Request.Body read error: %v", err, someErr)
+       }
+
+       // And verify that our Body wasn't used multiple times, which
+       // would indicate retries. (as it buggily was during part of
+       // Go 1.8's dev cycle)
+       readCalls := atomic.LoadInt32(&readCallsAtomic)
+       closeCalls := atomic.LoadInt32(&closeCallsAtomic)
+       if readCalls != 1 {
+               t.Errorf("read calls = %d; want 1", readCalls)
+       }
+       if closeCalls != 1 {
+               t.Errorf("close calls = %d; want 1", closeCalls)
+       }
+}
+
+type roundTripperWithoutCloseIdle struct{}
+
+func (roundTripperWithoutCloseIdle) RoundTrip(*Request) (*Response, error) { panic("unused") }
+
+type roundTripperWithCloseIdle func() // underlying func is CloseIdleConnections func
+
+func (roundTripperWithCloseIdle) RoundTrip(*Request) (*Response, error) { panic("unused") }
+func (f roundTripperWithCloseIdle) CloseIdleConnections()               { f() }
+
+func TestClientCloseIdleConnections(t *testing.T) {
+       c := &Client{Transport: roundTripperWithoutCloseIdle{}}
+       c.CloseIdleConnections() // verify we don't crash at least
+
+       closed := false
+       var tr RoundTripper = roundTripperWithCloseIdle(func() {
+               closed = true
+       })
+       c = &Client{Transport: tr}
+       c.CloseIdleConnections()
+       if !closed {
+               t.Error("not closed")
+       }
+}
+
+func TestClientPropagatesTimeoutToContext(t *testing.T) {
+       errDial := errors.New("not actually dialing")
+       c := &Client{
+               Timeout: 5 * time.Second,
+               Transport: &Transport{
+                       DialContext: func(ctx context.Context, netw, addr string) (net.Conn, error) {
+                               deadline, ok := ctx.Deadline()
+                               if !ok {
+                                       t.Error("no deadline")
+                               } else {
+                                       t.Logf("deadline in %v", deadline.Sub(time.Now()).Round(time.Second/10))
+                               }
+                               return nil, errDial
+                       },
+               },
+       }
+       c.Get("https://example.tld/")
+}
+
+// Issue 33545: lock-in the behavior promised by Client.Do's
+// docs about request cancellation vs timing out.
+func TestClientDoCanceledVsTimeout(t *testing.T) { run(t, testClientDoCanceledVsTimeout) }
+func testClientDoCanceledVsTimeout(t *testing.T, mode testMode) {
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+               w.Write([]byte("Hello, World!"))
+       }))
+
+       cases := []string{"timeout", "canceled"}
+
+       for _, name := range cases {
+               t.Run(name, func(t *testing.T) {
+                       var ctx context.Context
+                       var cancel func()
+                       if name == "timeout" {
+                               ctx, cancel = context.WithTimeout(context.Background(), -time.Nanosecond)
+                       } else {
+                               ctx, cancel = context.WithCancel(context.Background())
+                               cancel()
+                       }
+                       defer cancel()
+
+                       req, _ := NewRequestWithContext(ctx, "GET", cst.ts.URL, nil)
+                       _, err := cst.c.Do(req)
+                       if err == nil {
+                               t.Fatal("Unexpectedly got a nil error")
+                       }
+
+                       ue := err.(*url.Error)
+
+                       var wantIsTimeout bool
+                       var wantErr error = context.Canceled
+                       if name == "timeout" {
+                               wantErr = context.DeadlineExceeded
+                               wantIsTimeout = true
+                       }
+                       if g, w := ue.Timeout(), wantIsTimeout; g != w {
+                               t.Fatalf("url.Timeout() = %t, want %t", g, w)
+                       }
+                       if g, w := ue.Err, wantErr; g != w {
+                               t.Errorf("url.Error.Err = %v; want %v", g, w)
+                       }
+               })
+       }
+}
+
+type nilBodyRoundTripper struct{}
+
+func (nilBodyRoundTripper) RoundTrip(req *Request) (*Response, error) {
+       return &Response{
+               StatusCode: StatusOK,
+               Status:     StatusText(StatusOK),
+               Body:       nil,
+               Request:    req,
+       }, nil
+}
+
+func TestClientPopulatesNilResponseBody(t *testing.T) {
+       c := &Client{Transport: nilBodyRoundTripper{}}
+
+       resp, err := c.Get("http://localhost/anything")
+       if err != nil {
+               t.Fatalf("Client.Get rejected Response with nil Body: %v", err)
+       }
+
+       if resp.Body == nil {
+               t.Fatalf("Client failed to provide a non-nil Body as documented")
+       }
+       defer func() {
+               if err := resp.Body.Close(); err != nil {
+                       t.Fatalf("error from Close on substitute Response.Body: %v", err)
+               }
+       }()
+
+       if b, err := io.ReadAll(resp.Body); err != nil {
+               t.Errorf("read error from substitute Response.Body: %v", err)
+       } else if len(b) != 0 {
+               t.Errorf("substitute Response.Body was unexpectedly non-empty: %q", b)
+       }
+}
+
+// Issue 40382: Client calls Close multiple times on Request.Body.
+func TestClientCallsCloseOnlyOnce(t *testing.T) { run(t, testClientCallsCloseOnlyOnce) }
+func testClientCallsCloseOnlyOnce(t *testing.T, mode testMode) {
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+               w.WriteHeader(StatusNoContent)
+       }))
+
+       // Issue occurred non-deterministically: needed to occur after a successful
+       // write (into TCP buffer) but before end of body.
+       for i := 0; i < 50 && !t.Failed(); i++ {
+               body := &issue40382Body{t: t, n: 300000}
+               req, err := NewRequest(MethodPost, cst.ts.URL, body)
+               if err != nil {
+                       t.Fatal(err)
+               }
+               resp, err := cst.tr.RoundTrip(req)
+               if err != nil {
+                       t.Fatal(err)
+               }
+               resp.Body.Close()
+       }
+}
+
+// issue40382Body is an io.ReadCloser for TestClientCallsCloseOnlyOnce.
+// Its Read reads n bytes before returning io.EOF.
+// Its Close returns nil but fails the test if called more than once.
+type issue40382Body struct {
+       t                *testing.T
+       n                int
+       closeCallsAtomic int32
+}
+
+func (b *issue40382Body) Read(p []byte) (int, error) {
+       switch {
+       case b.n == 0:
+               return 0, io.EOF
+       case b.n < len(p):
+               p = p[:b.n]
+               fallthrough
+       default:
+               for i := range p {
+                       p[i] = 'x'
+               }
+               b.n -= len(p)
+               return len(p), nil
+       }
+}
+
+func (b *issue40382Body) Close() error {
+       if atomic.AddInt32(&b.closeCallsAtomic, 1) == 2 {
+               b.t.Error("Body closed more than once")
+       }
+       return nil
+}
+
+func TestProbeZeroLengthBody(t *testing.T) { run(t, testProbeZeroLengthBody) }
+func testProbeZeroLengthBody(t *testing.T, mode testMode) {
+       reqc := make(chan struct{})
+       cst := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+               close(reqc)
+               if _, err := io.Copy(w, r.Body); err != nil {
+                       t.Errorf("error copying request body: %v", err)
+               }
+       }))
+
+       bodyr, bodyw := io.Pipe()
+       var gotBody string
+       var wg sync.WaitGroup
+       wg.Add(1)
+       go func() {
+               defer wg.Done()
+               req, _ := NewRequest("GET", cst.ts.URL, bodyr)
+               res, err := cst.c.Do(req)
+               b, err := io.ReadAll(res.Body)
+               if err != nil {
+                       t.Error(err)
+               }
+               gotBody = string(b)
+       }()
+
+       select {
+       case <-reqc:
+               // Request should be sent after trying to probe the request body for 200ms.
+       case <-time.After(60 * time.Second):
+               t.Errorf("request not sent after 60s")
+       }
+
+       // Write the request body and wait for the request to complete.
+       const content = "body"
+       bodyw.Write([]byte(content))
+       bodyw.Close()
+       wg.Wait()
+       if gotBody != content {
+               t.Fatalf("server got body %q, want %q", gotBody, content)
+       }
+}