RFR: 8372526: Add support for ZLIB TLS Certificate Compression [v13]
Xue-Lei Andrew Fan
xuelei at openjdk.org
Fri Jan 30 19:41:49 UTC 2026
On Fri, 30 Jan 2026 18:13:15 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> I had a quick search of the existing cache. There are some global cache for default security parameters and configuration. For example, default trust anchor, default context and default managers. I think it is fine as default one always use the same configuration and can be shared.
>>
>> The compressed certificate cache looks different, as it is not for default key/cert configuration. Basically, the identity certificate is a property of key manager. It may be safer to manage the cache in key manager level instances.
>
> Yes, good point, it is different, I've done similar research. I'll look closer into this, thanks! Some problems I can see with this approach though:
>
> - Such caching won't work with a 3rd party `X509ExtendedKeyManager` implementations.
> - `CertificateMessage` is not just a single certificate, it's the list of certificate entries plus certificate_request_context. Logically such cache doesn't belong to a KeyManager.
Yes, a tricky case. Thank you @artur-oracle for considering this.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28682#discussion_r2747699841
More information about the security-dev
mailing list