Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: improve default performance of SupportsCertificate #35504

FiloSottile opened this issue Nov 11, 2019 · 1 comment

crypto/tls: improve default performance of SupportsCertificate #35504

FiloSottile opened this issue Nov 11, 2019 · 1 comment


Copy link

@FiloSottile FiloSottile commented Nov 11, 2019

As discussed in, SupportsCertificate requires c.Leaf to be set not to be extremely slow (because it needs to re-parse the leaf every time). This also impacts automatic selection from multiple Certificates candidates.

There are multiple solutions suggested on the CL, I will pick one and turn this into a proposal for further discussion.

@FiloSottile FiloSottile added this to the Go1.15 milestone Nov 11, 2019

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Nov 11, 2019

Change mentions this issue: crypto/tls: select only compatible chains from Certificates

gopherbot pushed a commit that referenced this issue Nov 12, 2019
Now that we have a full implementation of the logic to check certificate
compatibility, we can let applications just list multiple chains in
Certificates (for example, an RSA and an ECDSA one) and choose the most
appropriate automatically.

NameToCertificate only maps each name to one chain, so simply deprecate
it, and while at it simplify its implementation by not stripping
trailing dots from the SNI (which is specified not to have any, see RFC
6066, Section 3) and by not supporting multi-level wildcards, which are
not a thing in the WebPKI (and in crypto/x509).

The performance of SupportsCertificate without Leaf is poor, but doesn't
affect current users. For now document that, and address it properly in
the next cycle. See #35504.

While cleaning up the Certificates/GetCertificate/GetConfigForClient
behavior, also support leaving Certificates/GetCertificate nil if
GetConfigForClient is set, and send unrecognized_name when there are no
available certificates.

Fixes #29139
Fixes #18377

Change-Id: I26604db48806fe4d608388e55da52f34b7ca4566
Run-TryBot: Filippo Valsorda <>
TryBot-Result: Gobot Gobot <>
Reviewed-by: Katie Hockman <>
@FiloSottile FiloSottile modified the milestones: Go1.15, Backlog Mar 31, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.