try to make certificate addition/removal reloadable in some cases (#1468)

* try to make certificate addition/removal reloadable in some cases * very spicy change to respond to handshakes with cert versions we cannot match with a cert that we can indeed match * even spicier change to rehandshake if we detect our cert is lower-version than our peer, and we have a newer-version cert available * make tryRehandshake easier to understand
2025-11-22 08:24:25 +01:00 · 2025-11-03 19:38:44 -06:00
parent 770147264d
commit 01909f4715
7 changed files with 528 additions and 82 deletions
--- a/handshake_manager.go
+++ b/handshake_manager.go
@@ -68,11 +68,12 @@ type HandshakeManager struct {
 type HandshakeHostInfo struct {
 	sync.Mutex

-	startTime   time.Time        // Time that we first started trying with this handshake
-	ready       bool             // Is the handshake ready
-	counter     int64            // How many attempts have we made so far
-	lastRemotes []netip.AddrPort // Remotes that we sent to during the previous attempt
-	packetStore []*cachedPacket  // A set of packets to be transmitted once the handshake completes
+	startTime                 time.Time        // Time that we first started trying with this handshake
+	ready                     bool             // Is the handshake ready
+	initiatingVersionOverride cert.Version     // Should we use a non-default cert version for this handshake?
+	counter                   int64            // How many attempts have we made so far
+	lastRemotes               []netip.AddrPort // Remotes that we sent to during the previous attempt
+	packetStore               []*cachedPacket  // A set of packets to be transmitted once the handshake completes

 	hostinfo *HostInfo
 }