proposal: crypto/tls: set Certificate.Leaf from [Load]X509KeyPair #67065
Labels
Proposal
Proposal-Crypto
Proposal related to crypto packages or other security issues
Proposal-FinalCommentPeriod
Milestone
LoadX509KeyPair and X509KeyPair are documented to return a tls.Certificate with a nil
Leaf *x509.Certificate
field.This was done intentionally out of concern that servers that manage a lot of certificates would be wasting significant amounts of memory to keep the parsed version of the certificates around.
Originally, the parsed certificate was rarely used in crypto/tls. However, the new automatic certificate selection also needs that, causing significant slowdown if the certificates need to be re-parsed every time. See #35504.
Moreover, it seems that despite the documentation note, Leaf being nil catches some users by surprise. #35504 (comment)
I believe setting Leaf in LoadX509KeyPair and X509KeyPair would be a more natural API, and servers that load very large amounts of certificates and need to save memory can explicitly set it to nil.
Now that we have GODEBUGs, I think we should make the change. It's very unlikely there are programs that will break because a field is not nil.
/cc @golang/security @golang/proposal-review
The text was updated successfully, but these errors were encountered: