[release-branch.go1.12] crypto/tls, runtime: document GODEBUG TLS 1.3 option

Change-Id: I6801676335924414ce50249df2b7bea08886b203
Reviewed-on: https://go-review.googlesource.com/c/162360
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit 48bb61166711f47eb401f245c704a5a4887d4503)
Reviewed-on: https://go-review.googlesource.com/c/162497

2 files changed, 10 insertions, 1 deletions

diff --git a/src/crypto/tls/tls.go b/src/crypto/tls/tls.go
index f8e32ab495..578035cf73 100644
--- a/src/crypto/tls/tls.go
+++ b/src/crypto/tls/tls.go
@@ -4,6 +4,15 @@
 
 // Package tls partially implements TLS 1.2, as specified in RFC 5246,
 // and TLS 1.3, as specified in RFC 8446.
+//
+// TLS 1.3 is available only on an opt-in basis in Go 1.12. To enable
+// it, set the GODEBUG environment variable (comma-separated key=value
+// options) such that it includes "tls13=1". To enable it from within
+// the process, set the environment variable before any use of TLS:
+//
+//     func init() {
+//         os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
+//     }
 package tls
 
 // BUG(agl): The crypto/tls package only implements some countermeasures
diff --git a/src/runtime/extern.go b/src/runtime/extern.go
index 437406d991..e308dd38b1 100644
--- a/src/runtime/extern.go
+++ b/src/runtime/extern.go
@@ -127,7 +127,7 @@ It is a comma-separated list of name=val pairs setting these named variables:
 	IDs will refer to the ID of the goroutine at the time of creation; it's possible for this
 	ID to be reused for another goroutine. Setting N to 0 will report no ancestry information.
 
-The net and net/http packages also refer to debugging variables in GODEBUG.
+The net, net/http, and crypto/tls packages also refer to debugging variables in GODEBUG.
 See the documentation for those packages for details.
 
 The GOMAXPROCS variable limits the number of operating system threads that