crypto/tls: add server side SNI support.

With this in place, a TLS server is capable of selecting the correct certificate based on the client's ServerNameIndication extension. The need to call Config.BuildNameToCertificate is unfortunate, but adding a sync.Once to the Config structure made it uncopyable and I felt that was too high a price to pay. Parsing the leaf certificates in each handshake was too inefficient to consider. R=bradfitz, rsc CC=golang-dev https://golang.org/cl/5151048
2025-12-08 06:10:04 +00:00 · 2011-10-08 10:06:53 -04:00 · 2011-10-08 10:06:53 -04:00 · 7e48cb5ffe
commit 7e48cb5ffe
parent 060ffabd18
3 changed files with 126 additions and 1 deletions
--- a/src/pkg/crypto/tls/handshake_server.go
+++ b/src/pkg/crypto/tls/handshake_server.go
@ -115,7 +115,12 @@ FindCipherSuite:
 	}

 	certMsg := new(certificateMsg)
-	certMsg.certificates = config.Certificates[0].Certificate
+	if len(clientHello.serverName) > 0 {
+		c.serverName = clientHello.serverName
+		certMsg.certificates = config.getCertificateForName(clientHello.serverName).Certificate
+	} else {
+		certMsg.certificates = config.Certificates[0].Certificate
+	}
 	finishedHash.Write(certMsg.marshal())
 	c.writeRecord(recordTypeHandshake, certMsg.marshal())