RFR: 8372526: Add support for ZLIB TLS Certificate Compression [v13]
Xue-Lei Andrew Fan
xuelei at openjdk.org
Thu Jan 29 17:17:42 UTC 2026
On Thu, 29 Jan 2026 14:46:05 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> Implement certificate compression in TLS 1.3 using internally supported ZLIB compression algorithm. See RFC 8879 for more details:
>> https://datatracker.ietf.org/doc/html/rfc8879
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> Update javadoc: specify default value for enableCertificateCompression
src/java.base/share/classes/sun/security/ssl/CompressedCertificate.java line 148:
> 146: // the deflated certificate data in a memory cache statically and avoid
> 147: // compressing local certificates repeatedly for every handshake.
> 148: private static final Cache<CompCertCacheKey, byte[]> CACHE =
I was just wondering about the multiple tenant systems, where one JVM may be used by multiple users with different key and certificates. The system may run many weeks, and the tenants sign on and off, new and old tenants come in and out. Will this CACHE keep the record for each key-cert for each tenant? Could it be a potential problem? Does it sound like a direction to cache the compressed certificate in where the certificate come from, for example key manager instance or SSLContext instance?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28682#discussion_r2742697277
More information about the net-dev
mailing list