Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: use Config.GetCertificate before Config.Certificates, even without SNI #9208

Closed
gopherbot opened this issue Dec 5, 2014 · 4 comments
Assignees

Comments

@gopherbot
Copy link

@gopherbot gopherbot commented Dec 5, 2014

I'd like to be able to use GetCertificate to dynamically generate a certificate at the
time the request comes in (with caching on top). As is, the code always checks
config.Certificates first, even if it won't be used.

My wish is:

1. GetCertificate would be called even without SNI (no SNI shows up as
ClientHelloInfo.ServerName=="", the docs already talk about this)

2. config.Certificates would be looked at only if GetCertificate returns nil, nil
@gopherbot gopherbot added the new label Dec 5, 2014
@bradfitz bradfitz removed the new label Dec 18, 2014
@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Apr 10, 2015

I doubt this can be changed without breaking Go 1.x compatibility.

@agl

@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Apr 10, 2015

Or maybe if Certificates == nil?

@rsc rsc changed the title crypto/tls: Allow using Config.GetCertificate to fully replace Config.Certificates, call it even without SNI crypto/tls: use Config.GetCertificate before Config.Certificates, even without SNI Apr 10, 2015
@agl agl self-assigned this Apr 12, 2015
@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Apr 12, 2015

@gopherbot

This comment has been minimized.

Copy link
Author

@gopherbot gopherbot commented Apr 25, 2015

CL https://golang.org/cl/8792 mentions this issue.

@agl agl closed this in cba882e Apr 26, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
This change causes the GetCertificate callback to be called if
Certificates is empty. Previously this configuration would result in an
error.

This allows people to have servers that depend entirely on dynamic
certificate selection, even when the client doesn't send SNI.

Fixes golang#9208.

Change-Id: I2f5a5551215958b88b154c64a114590300dfc461
Reviewed-on: https://go-review.googlesource.com/8792
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
This change causes the GetCertificate callback to be called if
Certificates is empty. Previously this configuration would result in an
error.

This allows people to have servers that depend entirely on dynamic
certificate selection, even when the client doesn't send SNI.

Fixes golang#9208.

Change-Id: I2f5a5551215958b88b154c64a114590300dfc461
Reviewed-on: https://go-review.googlesource.com/8792
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.