RFR: 8372526: Add support for ZLIB TLS Certificate Compression [v9]
Xuelei Fan
xuelei.f at gmail.com
Wed Jan 28 16:40:31 UTC 2026
On Tue, Jan 27, 2026 at 9:27 AM Artur Barashev <abarashev at openjdk.org>
wrote:
> On Tue, 27 Jan 2026 16:54:28 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org>
> wrote:
>
> >> Artur Barashev has updated the pull request incrementally with one
> additional commit since the last revision:
> >>
> >> Allocate 24 bits for input size in cache key. Add unit tests.
> >
> > src/java.base/share/classes/javax/net/ssl/SSLParameters.java line 982:
> >
> >> 980: boolean enableCertificateCompression) {
> >> 981: this.enableCertificateCompression =
> enableCertificateCompression;
> >> 982: }
> >
> > Is there a plan to support brotli compression algorithm in OpenJDK? It
> is the only supported algorithm in browser Chrome.
> >
> > If there is a need to support more than one compression algorithms in
> the future, it might be better to provide an option to customize the
> algorithms selection, including preferences. The flexibility could provide
> better interoperability if a vendor does not support compression algorithm
> properly.
>
> Yes, strangely Chrome supports only brotli although I didn't see any
> difference in compression ration between zlib and brotli when manually
> testing certificate compression. We may add support for more algorithms in
> the future, but for now it's zlib only.
Once there is a need to support more algorithms, this API may not be
applicable for some cases especially when there are compatibility impact.
It might be good to consider the API to support multiple algorithms from
day zero.
Just my $0.02.
Thanks,
Xuelei
> Generally speaking, it's the certificate's metadata that is being
> compressed, the keys are high-entropy data difficult to compress. PQC
> certificates don’t compress well, most likely because of lower metadata to
> keys ratio.
>
> -------------
>
> PR Review Comment:
> https://git.openjdk.org/jdk/pull/28682#discussion_r2733079369
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/net-dev/attachments/20260128/7e41c352/attachment-0001.htm>
More information about the net-dev
mailing list