TLS Config GetCertificate timeout

[Piyush Dewnani]

Hi All,

I have just started with golang, but did n't find answer for this specific question in the existing list(s)

GoLang crypto/tls package does support SNI based callback hooks to enable applications to serve desired tls certificates upon receiving a TLS Client Hello

https://golang.org/pkg/crypto/tls/#Config

I did not find any reference/documents to the actual timeout permissible for the callback to fetch to certificate. In the tests carried out in a localhost kind of setup it seems that the net/http server package does issue a tcp/tls timeout to clients if the GetCertificate hook takes more time than the tcp/tls timeout (say 60 or 300 seconds)

Just wanted a clarification than regardless of the amount of time taken in GetCertificate callback execution, is it not guaranteed to be stopped midway, say for example if the tls certificate is being fetched for an encrypted backend store which may sometime be unreachable but kind of guarantees a valid certificate after 'X' ++ duration and does ensure faster delivery of certificate in subsequent calls.

Ofcourse, there can be alternative solution to start a timer in GetCertificate callback and ensure that the function either returns a valid certificate on an error/nit in 'X' duration. In that case, it would be nice to know the actual timeout enforced in GetCertificate hook is related to tls settings in crypto/tls/listener -> Accept or somewhere else.

Thanks in advance and sorry for this rather long post.

--

Piyush

[Brad Fitzpatrick]

You can take as much time as you want (the crypto/tls package won't stop you; the API doesn't provide a way even!), but the client may get bored and go away. So it's in your best interest to be as fast as possible.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.