Closed Bug 1548723 Opened 6 years ago Closed 8 months ago

Certificate compression

Categories

(NSS :: Libraries, enhancement, P3)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mt, Assigned: anna.weine)

References

(Depends on 1 open bug,
URL
)

Details

Attachments

(4 files, 3 obsolete files)

Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
48 bytes, text/x-phabricator-request
Details | Review
Bug 1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression
48 bytes, text/x-phabricator-request
Details | Review
Bug 1548723 - Moving the decodedCert allocation to NSS
48 bytes, text/x-phabricator-request
Details | Review
Bug 1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
48 bytes, text/x-phabricator-request
Details | Review

We should consider adding certificate compression.

Experiments with brotli show that most certificate chains are cut in size by enough to matter. Especially for QUIC. And the spec is now close to being stable.

It looks like we will need to support brotli, but there is a chance that zstd could supplant brotli (it is still fashionable to invent new compression schemes after all). A brief assessment, plus a survey of what servers are doing might help inform this choice.

Design considerations:

  • this needs a configuration option
  • we should not compile this by default
  • we should link to the library that Firefox uses when we build there (so we need a --with-system-brotli option similar to the one we use for sqlite.
  • we need a way to configure compressed certificates. We might either add parameters to the SSL_ConfigServerCert thing, just like we're doing for delegated credentials. Or we could compress certificates as they are added if the compression option is enabled.
Type: defect → enhancement
Priority: -- → P3
Severity: normal → S3
Assignee: nobody → nkulatova

Depends on D178666

Attachment #9335234 - Attachment description: WIP: Bug 1548723 - An initial implementation of the Certificate Compression RFC → Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
Attachment #9335234 - Attachment description: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation → WIP: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
Attachment #9351228 - Attachment description: WIP: Bug 1548723 - Improving gtests by adding decoding/encoding certificate mechanisms (as a part of RFC8879 support) → Bug 1548723 - Improving gtests by adding decoding/encoding certificate mechanisms (as a part of RFC8879 support)
Attachment #9351228 - Attachment description: Bug 1548723 - Improving gtests by adding decoding/encoding certificate mechanisms (as a part of RFC8879 support) → WIP: Bug 1548723 - Improving gtests by adding decoding/encoding certificate mechanisms (as a part of RFC8879 support)
Attachment #9351228 - Attachment description: WIP: Bug 1548723 - Improving gtests by adding decoding/encoding certificate mechanisms (as a part of RFC8879 support) → Bug 1548723 - Improving gtests by adding decoding/encoding certificate mechanisms (as a part of RFC8879 support)
Attachment #9335234 - Attachment description: WIP: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation → Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
Attachment #9345360 - Attachment description: WIP: Bug 1548723 - Adding support of ZLIB algorithm → Bug 1548723 - Adding support of ZLIB algorithm
Attachment #9354084 - Attachment description: Bug 1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression → WIP: Bug 1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression
Attachment #9335234 - Attachment description: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation → WIP: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
Attachment #9345360 - Attachment description: Bug 1548723 - Adding support of ZLIB algorithm → WIP: Bug 1548723 - Adding support of ZLIB algorithm
Attachment #9351228 - Attachment description: Bug 1548723 - Improving gtests by adding decoding/encoding certificate mechanisms (as a part of RFC8879 support) → WIP: Bug 1548723 - Improving gtests by adding decoding/encoding certificate mechanisms (as a part of RFC8879 support)
Attachment #9345360 - Attachment is obsolete: true
Attachment #9335234 - Attachment description: WIP: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation → Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
Attachment #9335234 - Attachment description: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation → WIP: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
Attachment #9335234 - Attachment description: WIP: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation → Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
Attachment #9335234 - Attachment description: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation → WIP: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
Attachment #9351228 - Attachment description: WIP: Bug 1548723 - Improving gtests by adding decoding/encoding certificate mechanisms (as a part of RFC8879 support) → Bug 1548723 - Improving gtests by adding decoding/encoding certificate mechanisms (as a part of RFC8879 support)
Attachment #9335234 - Attachment description: WIP: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation → Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
Attachment #9335234 - Attachment description: Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation → xBug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
Attachment #9335234 - Attachment description: xBug 1548723 - TLS Certificate Compression (RFC 8879) Implementation → Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation
Attachment #9354084 - Attachment description: WIP: Bug 1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression → Bug 1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression
Attachment #9351228 - Attachment is obsolete: true
Depends on: 1881027
Blocks: 1881027
No longer depends on: 1881027
Blocks: 1885138
Attachment #9394813 - Attachment description: WIP: Bug 1548723 - Moving the decodedCert allocation to NSS → Bug 1548723 - Moving the decodedCert allocation to NSS. r=jschanck
Attachment #9394813 - Attachment description: Bug 1548723 - Moving the decodedCert allocation to NSS. r=jschanck → Bug 1548723 - Moving the decodedCert allocation to NSS

A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)

Depends on: 1891948
Attachment #9397333 - Attachment description: WIP: Bug 1548723 - Reverting 4be2683e148d5171906e62d391a4862523033a1e → Bug 1548723 - Reverting 4be2683e148d5171906e62d391a4862523033a1e
Attachment #9397333 - Attachment is obsolete: true
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #9397377 - Attachment description: WIP: Bug 1548723 - CC: Allocation to uint8 + size check in NSS → Bug 1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation

https://hg.mozilla.org/projects/nss/rev/61154cde6588d08d34d7cdca55651713a184696c

Status: REOPENED → RESOLVED
Closed: 1 year ago8 months ago
Resolution: --- → FIXED
Blocks: 1904125
Depends on: 1905910
Depends on: 1907899
Depends on: 1924667
No longer depends on: 1924667
Blocks: 1905910, 1907899
No longer depends on: 1905910, 1907899
Depends on: 1927797
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: