Mercurial > nginx

changeset 9443:bade3faa937d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: disabled certificate compression by default with OpenSSL. Certificate compression is supported since OpenSSL 3.2, it is enabled automatically as negotiated in a TLSv1.3 handshake. Using certificate compression and decompression in runtime may be suboptimal in terms of CPU and memory consumption in certain typical scenarios, hence it is disabled by default on both server and client sides. It can be enabled with ssl_conf_command and similar directives in upstream as appropriate, for example: ssl_conf_command Options RxCertificateCompression; ssl_conf_command Options TxCertificateCompression; Compressing server certificates requires additional support, this is addressed separately.
author Sergey Kandaurov <pluknet@nginx.com>
date Tue, 15 Jul 2025 15:55:26 +0400
parents 09255e161615
children 741cc85a6778
files src/event/ngx_event_openssl.c
diffstat 1 files changed, 5 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c	Thu Jul 31 21:31:27 2025 +0400
+++ b/src/event/ngx_event_openssl.c	Tue Jul 15 15:55:26 2025 +0400
@@ -387,6 +387,11 @@
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
 #endif
 
+#ifdef SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TX_CERTIFICATE_COMPRESSION);
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_RX_CERTIFICATE_COMPRESSION);
+#endif
+
 #ifdef SSL_OP_NO_ANTI_REPLAY
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
 #endif