RFR: 8372526: Add support for ZLIB TLS Certificate Compression [v3]
Daniel Fuchs
dfuchs at openjdk.org
Thu Jan 22 12:38:15 UTC 2026
On Wed, 21 Jan 2026 19:24:17 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> Implement certificate compression in TLS 1.3 using internally supported ZLIB compression algorithm. See RFC 8879 for more details:
>> https://datatracker.ietf.org/doc/html/rfc8879
>
> Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 26 commits:
>
> - Improve cache key checksum
> - Merge branch 'master' into JDK-8372526
> - Cache compressed local certificates
> - Merge branch 'master' into JDK-8372526
>
> # Conflicts:
> # src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
> - Correct log message. Reformat file.
> - Update unit test
> - Merge branch 'master' into JDK-8372526
> - Add DefaultCertCompression unit test
> - Update copyright year and bug number plus some small changes
> - Revert SSLLogger changes
> - ... and 16 more: https://git.openjdk.org/jdk/compare/aaca0a2c...c859eb39
test/jdk/javax/net/ssl/HttpsURLConnection/HttpsCompressedCert.java line 32:
> 30: import java.net.http.HttpRequest;
> 31: import java.net.http.HttpResponse;
> 32: import javax.net.ssl.SSLParameters;
Since this test is not using HttpsURLConnection but the new HttpClient it would be better to bring it to `test/jdk/java/net/httpclient`
test/jdk/javax/net/ssl/HttpsURLConnection/HttpsCompressedCert.java line 58:
> 56: new URI("https://www.google.com/"))
> 57: .GET()
> 58: .build();
Maybe this should be a manual test since it's accessing a host on the public internet.
How difficult would it be to have a test that uses the jdk.net HttpServer instead?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28682#discussion_r2716718955
PR Review Comment: https://git.openjdk.org/jdk/pull/28682#discussion_r2716722820
More information about the security-dev
mailing list