crypto/tls: use certificate cache in client

In verifyServerCertificate parse certificates using the global certificate cache. This should signficiantly reduce memory usage in TLS clients which make concurrent connections which reuse certificates (anywhere in the chain) since there will only ever be one copy of the certificate at once. Fixes #46035 Change-Id: Icf5153d0ea3c14a0bdc8b26c794f21153bf95f85 Reviewed-on: https://go-review.googlesource.com/c/go/+/426455 Reviewed-by: Heschi Kreinick <heschi@google.com> Reviewed-by: Bryan Mills <bcmills@google.com> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
2025-04-03 20:17:36 +03:00 · 2022-08-29 09:40:50 -07:00 · 2022-08-29 09:40:50 -07:00 · 5e45636b4c
commit 5e45636b4c
parent 0c118d7d39
3 changed files with 10 additions and 2 deletions
--- a/conn.go
+++ b/conn.go
@ -49,6 +49,9 @@ type Conn struct {
 	ocspResponse     []byte   // stapled OCSP response
 	scts             [][]byte // signed certificate timestamps from server
 	peerCertificates []*x509.Certificate
+	// activeCertHandles contains the cache handles to certificates in
+	// peerCertificates that are used to track active references.
+	activeCertHandles []*activeCert
 	// verifiedChains contains the certificate chains that we built, as
 	// opposed to the ones presented by the server.
 	verifiedChains [][]*x509.Certificate