Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a fast path for the DefaultCertificateSelector #318

Merged
merged 1 commit into from
Nov 4, 2024
Merged

Add a fast path for the DefaultCertificateSelector #318

merged 1 commit into from
Nov 4, 2024

Conversation

ankon
Copy link
Contributor

@ankon ankon commented Nov 2, 2024

In cases where we only have a single certificate to choose from we will anyways pick that certificate, regardless of whether the certificate is supported by the client or is expired.

@ankon
Add a fast path for the DefaultCertificateSelector
2ce4f11 
In cases where we only have a single certificate to choose from we will anyways
pick that certificate, regardless of whether the certificate is supported by the
client or is expired.
@ankon
Copy link
Contributor Author

ankon commented Nov 2, 2024

Found while reading and profiling the whole "get certificate" path. The "supports certificate" function is actually rather complex, and if we anyways will return the certificate there is no point in calling it (or the expiration check) here.

ankon
ankon commented Nov 2, 2024
View reviewed changes
handshake.go
if len(choices) == 0 {
return Certificate{}, fmt.Errorf("no certificates available")
}

// Slow path: There are choices, so we need to check each of them.
now := time.Now()
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't check, but: There might be a good opportunity to split the slow path out into a separate function, so that the fast path can be inlined.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be doable. Lemme catch up on this next Caddy beta release and then I/we can explore that as a follow-up PR. I'd be curious if the inlining actually happens and if so does the performance improve?

mholt
mholt approved these changes Nov 4, 2024
View reviewed changes
Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this optimization, makes sense!

At first I read the comment, and was like, "No, wait, we shouldn't serve expired or incompatible certs." But then I realized that we already do this below (best := choices[0]) and remembered why... it's generally best practice to serve any matching certificate you have in response to a ClientHello because it can help with troubleshooting. Like if you serve an expired cert, you can instantly know that something about its renewal failed (for a long time!)... or if it's an incompatible cert, you can verify that everything on the server is correct and that the client program just needs to get over itself and support it 😅

Anyway, thanks again for this.

@mholt mholt merged commit c1f1d52 into caddyserver:master Nov 4, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mholt mholt mholt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ankon @mholt