From 2ce4f1173e3a67f9bdf03b8ffa1f970656602c4b Mon Sep 17 00:00:00 2001
From: Andreas Kohn <andreas.kohn@framer.com>
Date: Sat, 2 Nov 2024 17:22:25 +0100
Subject: [PATCH] Add a fast path for the DefaultCertificateSelector

In cases where we only have a single certificate to choose from we will anyways
pick that certificate, regardless of whether the certificate is supported by the
client or is expired.
---
 handshake.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/handshake.go b/handshake.go
index 1ff0ce27..201c6c5a 100644
--- a/handshake.go
+++ b/handshake.go
@@ -231,9 +231,16 @@ func (cfg *Config) selectCert(hello *tls.ClientHelloInfo, name string) (Certific
 // otherwise it returns an expired certificate that the client supports,
 // otherwise it just returns the first certificate in the list of choices.
 func DefaultCertificateSelector(hello *tls.ClientHelloInfo, choices []Certificate) (Certificate, error) {
+	if len(choices) == 1 {
+		// Fast path: There's only one choice, so we would always return that one
+		// regardless of whether it is expired or not compatible.
+		return choices[0], nil
+	}
 	if len(choices) == 0 {
 		return Certificate{}, fmt.Errorf("no certificates available")
 	}
+
+	// Slow path: There are choices, so we need to check each of them.
 	now := time.Now()
 	best := choices[0]
 	for _, choice := range choices {