Opened 8 months ago
Last modified 8 months ago
#2546 new enhancement
Support RFC 8879: certificate compression
| Reported by: | Seirdy | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | other | Version: | 1.25.x |
| Keywords: | TLS | Cc: | |
| uname -a: | Linux fedora-vps01 6.4.14-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Sep 2 16:36:06 UTC 2023 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.25.3 (static-pie clang musl zlib-ng brotli march=haswell boringssl ssl-staple nginx build)
built by clang 16.0.6 built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL) TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --build='static-pie gcc musl zlib-ng brotli march=haswell boringssl hpack ssl-staple nginx build' --with-file-aio --with-threads --with-pcre --with-debug --with-stream --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_ssl_module --with-http_v2_module --with-http_v3_module --without-http_auth_basic_module --without-http_autoindex_module --without-http_browser_module --without-http_empty_gif_module --without-http_empty_gif_module --without-http_fastcgi_module --without-http_geo_module --without-http_grpc_module --without-http_mirror_module --without-http_referer_module --without-http_scgi_module --without-http_split_clients_module --without-http_ssi_module --without-http_status_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_keepalive_module --without-http_upstream_least_conn_module --without-http_upstream_random_module --without-http_upstream_zone_module --without-http_userid_module --without-http_uwsgi_module --with-cc-opt='-O3 -march=haswell -ftrapv -DNDEBUG -fno-semantic-interposition -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong -m64 -fno-asynchronous-unwind-tables -fstack-clash-protection -fcf-protection=full -fPIC -fPIE -s -L. -fno-plt -Bsymbolic -fuse-ld=lld -ftrivial-auto-var-init=zero -fzero-call-used-regs=used-gpr -Wno-parentheses -Wno-unused-value -Wno-unused-command-line-argument -I/usr/include --sysroot /usr -isystem /usr/x86_64-linux-musl/include -I/usr/x86_64-linux-musl/include -L/usr/x86_64-linux-musl/lib -flto=full -fvisibility=hidden -fsplit-lto-unit -ffunction-sections -fdata-sections -I/usr/lib64/clang/version/include -I/ghq/github.com/zlib-ng/zlib-ng -I/ghq/github.com/zlib-ng/zlib-ng/build-server-clang -I/ghq/boringssl.googlesource.com/boringssl/include -Wno-error -DTCP_FASTOPEN=23 -I/ghq/github.com/PhilipHazel/pcre2/build-server-clang' --with-ld-opt='-O3 -march=haswell -ftrapv -DNDEBUG -fno-semantic-interposition -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong -m64 -fno-asynchronous-unwind-tables -fstack-clash-protection -fcf-protection=full -fPIC -fPIE -s -L. -fno-plt -Bsymbolic -fuse-ld=lld -ftrivial-auto-var-init=zero -fzero-call-used-regs=used-gpr -Wno-parentheses -Wno-unused-value -Wno-unused-command-line-argument -flto=full -fvisibility=hidden -fsplit-lto-unit -ffunction-sections -fdata-sections -Wl,-z,relro,-z,now,-z,noexecstack -Wl,--as-needed -Wl,-E -Wl,-Bstatic -static-pie -L/usr/x86_64-linux-musl/lib -Wl,--gc-sections -L/ghq/github.com/zlib-ng/zlib-ng/build-server-clang -l:libz.a -lz -L/ghq/boringssl.googlesource.com/boringssl/build-server-clang/ssl -l:libssl.a -L/ghq/boringssl.googlesource.com/boringssl/build-server-clang/crypto -l:libcrypto.a -L/ghq/github.com/PhilipHazel/pcre2/build-server-clang' --add-module=/ghq/github.com/google/ngx_brotli/static --add-module=/ghq/github.com/openresty/headers-more-nginx-module --add-module=/ghq/github.com/vision5/ngx_devel_kit --add-module=/ghq/github.com/openresty/set-misc-nginx-module |
||
Description
RFC 8879 TLS Certificate Compression has been supported in BoringSSL for a while, and recently made it to OpenSSL. It allows us to more safely compress TLS certificates. OpenSSL supports zlib, zstd, and Brotli; BoringSSL supports zlib and Brotli.
Note:
See TracTickets
for help on using tickets.
For the record, certificate compression was previously discussed in this thread:
https://mailman.nginx.org/pipermail/nginx-devel/2023-April/O5R42YXIMCJKIGPTNYDSHKWFBJY73H5J.html
In particular, see the review here:
https://mailman.nginx.org/pipermail/nginx-devel/2023-April/MK7QJ2XIYXDTSWJ5TXRGCP7S73WS6GWH.html
Unless OpenSSL fixed things since then, it is probably goes to be something we'll have to explicitly disable once OpenSSL 3.2 is released, as it is enabled by default and seems to allow various resource consumption attacks.