Re: [PR] Conditionalize cert compression by OpenSSL support [trafficserver]

Sat, 23 May 2026 15:56:49 -0700 


Copilot commented on code in PR #13197:
URL: https://github.com/apache/trafficserver/pull/13197#discussion_r3293591145


##########
src/traffic_layout/info.cc:
##########
@@ -53,6 +54,34 @@
 #include <zstd.h>
 #endif
 
+#if HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG
+static constexpr int ts_has_cert_compression_callbacks = 1;
+#else
+static constexpr int ts_has_cert_compression_callbacks = 0;
+#endif
+
+#if HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG || 
(HAVE_SSL_CTX_SET1_CERT_COMP_PREFERENCE && !defined(OPENSSL_NO_ZLIB))
+static constexpr int ts_has_cert_compression_zlib = 1;
+#else
+static constexpr int ts_has_cert_compression_zlib = 0;
+#endif
+
+#if (HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG && HAVE_BROTLI_ENCODE_H) || \
+  (HAVE_SSL_CTX_SET1_CERT_COMP_PREFERENCE && !defined(OPENSSL_NO_BROTLI))
+static constexpr int ts_has_cert_compression_brotli = 1;
+#else
+static constexpr int ts_has_cert_compression_brotli = 0;
+#endif
+
+#if (HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG && HAVE_ZSTD_H) || 
(HAVE_SSL_CTX_SET1_CERT_COMP_PREFERENCE && !defined(OPENSSL_NO_ZSTD))
+static constexpr int ts_has_cert_compression_zstd = 1;
+#else
+static constexpr int ts_has_cert_compression_zstd = 0;
+#endif

Review Comment:
   The new TS_HAS_CERT_COMPRESSION_{BROTLI,ZSTD} feature detection can report 
these algorithms as available via SSL_CTX_set1_cert_comp_preference even when 
HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG is also available but ATS was built 
without the corresponding brotli/zstd libraries. In that build shape, 
TLSCertCompression.cc will take the callbacks path (due to 
HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG) and will not include brotli/zstd in 
supported_algs, so enabling them via records will fail despite the feature 
being reported as present. Consider making the algorithm feature checks 
mutually exclusive (prefer the callbacks+local-libs path when 
HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG is true, otherwise fall back to the 
preference API/OPENSSL_NO_* checks) so reported features match actual runtime 
behavior.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to