details:
https://github.com/nginx/nginx/commit/ed99269eed283e474590bbe951bad1d74b721955
branches: master
commit: ed99269eed283e474590bbe951bad1d74b721955
user: Sergey Kandaurov <pluk...@nginx.com>
date: Tue, 15 Jul 2025 15:55:26 +0400
description:
SSL: disabled certificate compression by default with OpenSSL.
Certificate compression is supported since OpenSSL 3.2, it is enabled
automatically as negotiated in a TLSv1.3 handshake.
Using certificate compression and decompression in runtime may be
suboptimal in terms of CPU and memory consumption in certain typical
scenarios, hence it is disabled by default on both server and client
sides. It can be enabled with ssl_conf_command and similar directives
in upstream as appropriate, for example:
ssl_conf_command Options RxCertificateCompression;
ssl_conf_command Options TxCertificateCompression;
Compressing server certificates requires additional support, this is
addressed separately.
---
src/event/ngx_event_openssl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index ff604c562..0c23c3f2f 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -387,6 +387,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void
*data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
#endif
+#ifdef SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TX_CERTIFICATE_COMPRESSION);
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_RX_CERTIFICATE_COMPRESSION);
+#endif
+
#ifdef SSL_OP_NO_ANTI_REPLAY
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
#endif
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
