Found in a Google program running under the race detector.
No test, but verified that this fixes the race with go run -race of:

	package main

	import (
	        "crypto/tls"
	        "fmt"
	        "net"
	        "net/http"
	        "net/http/httptest"
	)

	func main() {
	        for {
	                ts := httptest.NewTLSServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {}))
	                conf := &tls.Config{} // non-nil
	                a, b := net.Pipe()
	                go func() {
	                        sconn := tls.Server(a, conf)
	                        sconn.Handshake()
	                }()
	                tr := &http.Transport{
	                        TLSClientConfig: conf,
	                }
	                req, _ := http.NewRequest("GET", ts.URL, nil)
	                _, err := tr.RoundTrip(req)
	                println(fmt.Sprint(err))
	                a.Close()
	                b.Close()
	                ts.Close()
	        }
	}

Also modified cmd/vet to report the copy-of-mutex bug statically
in CL 13646, and fixed two other instances in the code found by vet.
But vet could not have told us about cloneTLSConfig vs cloneTLSClientConfig.

Confirmed that original report is also fixed by this.

Fixes #12099.

Change-Id: Iba0171549e01852a5ec3438c25a1951c98524dec
Reviewed-on: https://go-review.googlesource.com/13453Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Austin Clements <austin@google.com>
Run-TryBot: Russ Cox <rsc@golang.org>