Authentication-Results: mail-b.sr.ht; dkim=pass header.d=coded.io header.i=@coded.io; dkim=pass header.d=messagingengine.com header.i=@messagingengine.com
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27])
	by mail-b.sr.ht (Postfix) with ESMTPS id 7AAA111F013
	for <~adnano/go-gemini-devel@lists.sr.ht>; Thu, 25 Feb 2021 04:56:33 +0000 (UTC)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
	by mailout.nyi.internal (Postfix) with ESMTP id 5606C5C00D4;
	Wed, 24 Feb 2021 23:56:33 -0500 (EST)
Received: from imap11 ([10.202.2.61])
  by compute3.internal (MEProxy); Wed, 24 Feb 2021 23:56:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coded.io; h=
	mime-version:message-id:in-reply-to:references:date:from:to
	:subject:content-type; s=fm3; bh=FL6GbnAKMLo2rQutZn/XW+EEjoOK3U9
	+t8DA6iANW8w=; b=ChKh4fwHb+E2uHgKcU+zqcFxsalGU4ZL5OL4MhVZ6if15Vo
	WxyJfj/WtvLjkMCeMx/k4Qba0BHhJWIjnCPEEcZ1Pyq8o2tYpKodsA53VG6kMBux
	q52FQGlbg8mjgNGoWCH6IjzgzKOGJk3YGWmJ0PGiD6Keodw+cANtTn2PNve2H9E4
	nHHoTmWlqHD/loDywiThEhaXyWc0HxW+Q+JC6hvt976oJzYOkSid82ukpsimUfw7
	Vya/cEjLoZdDa9kNPeLahsAkKI6qBW9AMhKhkfRGnkDaS1n0Bbl4Sgqs538pckYF
	qN/REltoRQZtGodq5FyYvV9LFw412H7qD1Uc1Nw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=FL6Gbn
	AKMLo2rQutZn/XW+EEjoOK3U9+t8DA6iANW8w=; b=fIkBSu9n6jccjMBFh+XfW7
	uU2AYrI4hx7N0QjLYG7jOHu9wEM9red7AWdKkmoaidsaYXd0SUayfBFEC23KUBYD
	2KuO62n7SYnq4TO+KgZKbYTUabE28E7iZxFfzynzAMTp7q5jON1I3RkumzrRz1Zu
	K9SaCofTLDce2jDNaLjKosTmsQ3BnWfw1A/UNy2bHz6rgWtsWV5RofqkcFzO+prK
	qARjmzouTFqsbUiZi93pmd8J7NOx0qZyEBm/5MxCMd9Xl+0l3Riaa5jeXxhrX64O
	WcxVy9THQYFj4AeInkszd4WZT+7HAXi1dvzOc9osxroZmXElHELidXmLNtcM//OA
	==
X-ME-Sender: <xms:AC43YB0p4iWQLleb_O_iQeNpvKOaI17fF0FgY9GT7sWubFIhsMaZ4A>
    <xme:AC43YIGr7abGMc2zb6Pckm7REZ6nmrfDAub9QYI6IPhFsQHcUnT3Ud8UdMCfRuGYP
    ytqZ47_qIyQ274Ujw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrkeekgdejiecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre
    dtreertdenucfhrhhomhepfdfmrghlvggsucfglhifvghrthdfuceosggvlhgrkhestgho
    uggvugdrihhoqeenucggtffrrghtthgvrhhnpeehfeffjeffffejleeufedufeffhedtie
    elgeehteejvdevgfefheetfeelfeelfeenucffohhmrghinhepghhithhhuhgsrdgtohhm
    pdhgohhlrghnghdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh
    grihhlfhhrohhmpegsvghlrghksegtohguvggurdhioh
X-ME-Proxy: <xmx:AS43YB5ElIuckKQhbiC9esKZEUxgELSQix0b0FcKg1c8eba_2x5B-g>
    <xmx:AS43YO1g37dl_n8W-ODb94qC9_mXi2amc4l8-zrR6e-JYMpDK9O0qg>
    <xmx:AS43YEH38BePEmf8PXwWlCAoOEpZCkKTSJVgZpTPWVNDRMetMMhCIA>
    <xmx:AS43YHxtkXoj_jIjiwxtWWnqm-zMwNORbKjXObJwzMzwSG1VQIgN7g>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id DD6EB24027E; Wed, 24 Feb 2021 23:56:32 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-141-gf094924a34-fm-20210210.001-gf094924a
Mime-Version: 1.0
Message-Id: <facb754e-8de8-43e0-94ed-c555214b6f05@www.fastmail.com>
In-Reply-To: <C9I8H2U3NF57.GUW5GAC4HO85@nitro>
References: <C9I8H2U3NF57.GUW5GAC4HO85@nitro>
Date: Wed, 24 Feb 2021 20:56:11 -0800
From: "Kaleb Elwert" <belak@coded.io>
To: "Adnan Maolood" <me@adnano.co>, ~adnano/go-gemini-devel@lists.sr.ht
Subject: Re: [PATCH go-gemini] Set req.Host to SNI hostname when available
Content-Type: text/plain

> I had considered setting Request.Host before, but I was not sure whether
> the overhead of tls.Conn.ConnectionState could affect the performance.
> Request used to have a TLS field like in net/http, but it was moved to a
> method so that it would not be allocated if it was not needed.
> 
> Currently those who need to access SNI information can use
> TLS().ServerName. For the majority of use cases I don't think that
> accessing the ServerName is necessary, as the certificate.Store struct
> handles automatic creation of certificates and will not create a
> certificate for a host that has not been registered. Do you have an
> example where this could be necessary?

The reason for adding this isn't for limiting what hosts that can be connected to,
but routing to different locations for different hosts on in a single service. You are
right that it could be done by calling .TLS().ServerName, however I would argue that
either exposing the *tls.ConnectionState by default or at least copying over the
ServerName makes sense, maybe even both. If we're exposing ServerName,
it would make more sense to just store the whole ConnectionState on the request
anyway, as we've already generated it to get the ServerName.

Additionally, it's needed to properly parse the incoming URL to detect and deny proxy
requests (see https://github.com/go-gemini/gemini/blob/main/server.go#L195-L215 and
https://github.com/go-gemini/gemini/blob/main/utils.go#L64-L83). I generally think it's
best to optimize for correctness first, followed by performance and this is one of those
instances where an extra allocation for the ConnectionState shouldn't matter that much.
I would be willing to bet that the crypto caused by using a TLS connection (and
the network syscalls themselves) are way more expensive than the extra allocation.

As you mentioned, the http package already does this (See serve() at
https://golang.org/src/net/http/server.go#L1817) and even though Gemini tries to be
lighter weight than HTTP, I believe it still applies.

> We don't necessarily want to impose the choice of *tls.Conn on Server
> users, as they might prefer another TLS implementation, or they might
> use an unencrypted connection if they are sitting behind a TLS reverse
> proxy.

This is the first I've heard this argument used with Go - are there other TLS
implementations commonly used in Go? If this is an actual argument, doesn't
the call to Request.TLS() also break?