From 2f57f7626e7e22e6d93ac8f2cdcbc14ffbbc45c5 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Tue, 12 May 2026 16:13:26 -0400
Subject: [PATCH] crypto/tls: remove the x509keypairleaf GODEBUG setting

Fixes #75316

Change-Id: I241af97bf6a05e94f40a9f62393ed4fe6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/777384
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
---
 doc/godebug.md                 |  2 ++
 src/crypto/tls/tls.go          | 18 +----------------
 src/crypto/tls/tls_test.go     | 36 +++++++---------------------------
 src/internal/godebugs/table.go | 10 +++++-----
 src/runtime/metrics/doc.go     |  5 -----
 5 files changed, 15 insertions(+), 56 deletions(-)

diff --git a/doc/godebug.md b/doc/godebug.md
index 432a5ab123..9c5c01d3b2 100644
--- a/doc/godebug.md
+++ b/doc/godebug.md
@@ -166,6 +166,8 @@ Go 1.27 removed the `tls3des` setting, as noted in the [Go 1.23](#go-123) sectio
 
 Go 1.27 removed the `tls10server` setting, as noted in the [Go 1.22](#go-122) section.
 
+Go 1.27 removed the `x509keypairleaf` setting, as noted in the [Go 1.23](#go-123) section.
+
 Go 1.27 added a new `htmlmetacontenturlescape` setting that controls whether
 html/template will escape URLs in the `url=` portion of the content attribute of
 HTML meta tags. The default `htmlmetacontentescape=1` will cause URLs to be
diff --git a/src/crypto/tls/tls.go b/src/crypto/tls/tls.go
index 680d80f389..eefac8a98b 100644
--- a/src/crypto/tls/tls.go
+++ b/src/crypto/tls/tls.go
@@ -34,7 +34,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"internal/godebug"
 	"net"
 	"os"
 	"strings"
@@ -240,10 +239,6 @@ func (d *Dialer) DialContext(ctx context.Context, network, addr string) (net.Con
 // files. The files must contain PEM encoded data. The certificate file may
 // contain intermediate certificates following the leaf certificate to form a
 // certificate chain. On successful return, Certificate.Leaf will be populated.
-//
-// Before Go 1.23 Certificate.Leaf was left nil, and the parsed certificate was
-// discarded. This behavior can be re-enabled by setting "x509keypairleaf=0"
-// in the GODEBUG environment variable.
 func LoadX509KeyPair(certFile, keyFile string) (Certificate, error) {
 	certPEMBlock, err := os.ReadFile(certFile)
 	if err != nil {
@@ -256,14 +251,8 @@ func LoadX509KeyPair(certFile, keyFile string) (Certificate, error) {
 	return X509KeyPair(certPEMBlock, keyPEMBlock)
 }
 
-var x509keypairleaf = godebug.New("x509keypairleaf")
-
 // X509KeyPair parses a public/private key pair from a pair of
 // PEM encoded data. On successful return, Certificate.Leaf will be populated.
-//
-// Before Go 1.23 Certificate.Leaf was left nil, and the parsed certificate was
-// discarded. This behavior can be re-enabled by setting "x509keypairleaf=0"
-// in the GODEBUG environment variable.
 func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
 	fail := func(err error) (Certificate, error) { return Certificate{}, err }
 
@@ -317,12 +306,7 @@ func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
 	if err != nil {
 		return fail(err)
 	}
-
-	if x509keypairleaf.Value() != "0" {
-		cert.Leaf = x509Cert
-	} else {
-		x509keypairleaf.IncNonDefault()
-	}
+	cert.Leaf = x509Cert
 
 	cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes)
 	if err != nil {
diff --git a/src/crypto/tls/tls_test.go b/src/crypto/tls/tls_test.go
index e14ce9cbd2..3db1365a97 100644
--- a/src/crypto/tls/tls_test.go
+++ b/src/crypto/tls/tls_test.go
@@ -2541,35 +2541,13 @@ func TestX509KeyPairPopulateCertificate(t *testing.T) {
 	}
 	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
 
-	t.Run("x509keypairleaf=0", func(t *testing.T) {
-		testenv.SetGODEBUG(t, "x509keypairleaf=0")
-		cert, err := X509KeyPair(certPEM, keyPEM)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if cert.Leaf != nil {
-			t.Fatal("Leaf should not be populated")
-		}
-	})
-	t.Run("x509keypairleaf=1", func(t *testing.T) {
-		testenv.SetGODEBUG(t, "x509keypairleaf=1")
-		cert, err := X509KeyPair(certPEM, keyPEM)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if cert.Leaf == nil {
-			t.Fatal("Leaf should be populated")
-		}
-	})
-	t.Run("GODEBUG unset", func(t *testing.T) {
-		cert, err := X509KeyPair(certPEM, keyPEM)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if cert.Leaf == nil {
-			t.Fatal("Leaf should be populated")
-		}
-	})
+	cert, err := X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cert.Leaf == nil {
+		t.Fatal("Leaf should be populated")
+	}
 }
 
 func TestEarlyLargeCertMsg(t *testing.T) {
diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
index 6f3a98c95e..10b3919d51 100644
--- a/src/internal/godebugs/table.go
+++ b/src/internal/godebugs/table.go
@@ -73,7 +73,6 @@ var All = []Info{
 	{Name: "urlstrictcolons", Package: "net/url", Changed: 26, Old: "0"},
 	{Name: "winreadlinkvolume", Package: "os", Changed: 23, Old: "0"},
 	{Name: "winsymlink", Package: "os", Changed: 23, Old: "0"},
-	{Name: "x509keypairleaf", Package: "crypto/tls", Changed: 23, Old: "0"},
 	{Name: "x509negativeserial", Package: "crypto/x509", Changed: 23, Old: "1"},
 	{Name: "x509rsacrt", Package: "crypto/x509", Changed: 24, Old: "0"},
 	{Name: "x509sha256skid", Package: "crypto/x509", Changed: 25, Old: "0"},
@@ -95,10 +94,11 @@ type RemovedInfo struct {
 var Removed = []RemovedInfo{
 	{Name: "x509sha1", Removed: 24},
 	{Name: "gotypesalias", Removed: 27},
-	{Name: "tlsunsafeekm", Removed: 27}, // Old: "1"
-	{Name: "tlsrsakex", Removed: 27},    // Old: "1"
-	{Name: "tls3des", Removed: 27},      // Old: "1"
-	{Name: "tls10server", Removed: 27},  // Old: "1"
+	{Name: "tlsunsafeekm", Removed: 27},    // Old: "1"
+	{Name: "tlsrsakex", Removed: 27},       // Old: "1"
+	{Name: "tls3des", Removed: 27},         // Old: "1"
+	{Name: "tls10server", Removed: 27},     // Old: "1"
+	{Name: "x509keypairleaf", Removed: 27}, // Old: "0"
 }
 
 // Lookup returns the Info with the given name.
diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
index 310d232f6f..22648f4008 100644
--- a/src/runtime/metrics/doc.go
+++ b/src/runtime/metrics/doc.go
@@ -407,11 +407,6 @@ Below is the full list of supported metrics, ordered lexicographically.
 		The number of non-default behaviors executed by the os package
 		due to a non-default GODEBUG=winsymlink=... setting.
 
-	/godebug/non-default-behavior/x509keypairleaf:events
-		The number of non-default behaviors executed by the crypto/tls
-		package due to a non-default GODEBUG=x509keypairleaf=...
-		setting.
-
 	/godebug/non-default-behavior/x509negativeserial:events
 		The number of non-default behaviors executed by the crypto/x509
 		package due to a non-default GODEBUG=x509negativeserial=...