Remove legacy direct cert-matching behavior

This was implemented to solve the TLS-SNI challenge back in the day, but that has long been decomissioned.
acidburn0zzz · Jul 16, 2021 · b8cb679 · b8cb679
1 parent 3966eeb
commit b8cb679
Showing 1 changed file with 0 additions and 17 deletions.
diff --git a/handshake.go b/handshake.go
@@ -125,23 +125,6 @@ func (cfg *Config) getCertificate(hello *tls.ClientHelloInfo) (cert Certificate,
  return
  }
  }
-
- // check the certCache directly to see if the SNI name is
- // already the key of the certificate it wants; this implies
- // that the SNI can contain the hash of a specific cert
- // (chain) it wants and we will still be able to serve it up
- // (this behavior, by the way, could be controversial as to
- // whether it complies with RFC 6066 about SNI, but I think
- // it does, soooo...)
- // (this is how we solved the former ACME TLS-SNI challenge)
- cfg.certCache.mu.RLock()
- directCert, ok := cfg.certCache.cache[name]
- cfg.certCache.mu.RUnlock()
- if ok {
- cert = directCert
- matched = true
- return
- }
  }
 
  // otherwise, we're bingo on ammo; see issues