Add a fast path for the DefaultCertificateSelector (#318)

In cases where we only have a single certificate to choose from we will anyways pick that certificate, regardless of whether the certificate is supported by the client or is expired.
caddyserver · Nov 4, 2024 · c1f1d52 · c1f1d52
1 parent 4c6eddc
commit c1f1d52
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/handshake.go b/handshake.go
@@ -231,9 +231,16 @@ func (cfg *Config) selectCert(hello *tls.ClientHelloInfo, name string) (Certific
 // otherwise it returns an expired certificate that the client supports,
 // otherwise it just returns the first certificate in the list of choices.
 func DefaultCertificateSelector(hello *tls.ClientHelloInfo, choices []Certificate) (Certificate, error) {
+	if len(choices) == 1 {
+		// Fast path: There's only one choice, so we would always return that one
+		// regardless of whether it is expired or not compatible.
+		return choices[0], nil
+	}
 	if len(choices) == 0 {
 		return Certificate{}, fmt.Errorf("no certificates available")
 	}
+
+	// Slow path: There are choices, so we need to check each of them.
 	now := time.Now()
 	best := choices[0]
 	for _, choice := range choices {