commit d39d30828c33885a0642234cc7a214c1de230b3e
parent 457fdd7e334eb5ef875dc4f8e61f4fda8183fb95
Author: Robert Russell <robertrussell.72001@gmail.com>
Date: Mon, 15 Jul 2024 12:45:51 -0700
Parse leaf certificates in advance
The go crypto/tls documentation recommends this to reduce
per-handshake processing.
Diffstat:
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/tlsrp.go b/tlsrp.go
@@ -5,6 +5,7 @@ package main
import (
"context"
"crypto/tls"
+ "crypto/x509"
"errors"
"flag"
"fmt"
@@ -163,6 +164,18 @@ type config struct {
certs []cert
}
+func loadCert(crtPath, keyPath string) (*tls.Certificate, error) {
+ tlsCert, err := tls.LoadX509KeyPair(crtPath, keyPath)
+ if err != nil {
+ return nil, err
+ }
+ tlsCert.Leaf, err = x509.ParseCertificate(tlsCert.Certificate[0])
+ if err != nil {
+ return nil, err
+ }
+ return &tlsCert, nil
+}
+
func loadConfig(path string) (config, error) {
file, err := os.Open(path)
if err != nil {
@@ -204,7 +217,7 @@ func loadConfig(path string) (config, error) {
case "cert":
crtPath := fields[1]
keyPath := fields[2]
- tlsCert, err := tls.LoadX509KeyPair(crtPath, keyPath)
+ tlsCert, err := loadCert(crtPath, keyPath)
if err != nil {
return config{}, err
}
@@ -218,7 +231,7 @@ func loadConfig(path string) (config, error) {
pattern: pat,
crtPath: crtPath,
keyPath: keyPath,
- cert: &tlsCert,
+ cert: tlsCert,
}
cfg.certs = append(cfg.certs, cert)
@@ -251,9 +264,9 @@ func manageConfig(cfgPath string) {
for i := range certs {
crtPath := certs[i].crtPath
keyPath := certs[i].keyPath
- tlsCert, err := tls.LoadX509KeyPair(crtPath, keyPath)
+ tlsCert, err := loadCert(crtPath, keyPath)
if err == nil {
- certs[i].cert = &tlsCert
+ certs[i].cert = tlsCert
} else {
log.Printf("failed to reload certificate (%s, %s): %s\n", crtPath, keyPath, err)
}
