Open Bug 1884301 Opened 1 month ago Updated 4 days ago

Support zstd certificate compression for TLS

Categories

(Core :: Networking: HTTP, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: jesup, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

Support zstd certificate compression to reduce the size of certificates and speed up TLS negotiation

Blocks: 1884305
No longer blocks: zstd

Hey, FYI, I am working on a patch to enabling zlib for certificate compression (https://phabricator.services.mozilla.com/D203909).

My next target is supposed to be zstd. Would you prefer if I implemented the patch?

Here is the bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1881027

Flags: needinfo?(rjesup)

Yes, that'd be great. The library import is here: https://phabricator.services.mozilla.com/D197296 and the http decompression support is here: https://phabricator.services.mozilla.com/D205109

Overall it doesn't look that hard, from what I saw in the zlib patches. (The decompression support includes some stuff for compression; that's leftover from when I was planning to put it all in a sandbox. Without that, I can remove the compression support that's currently in nsHTTPCompressConv -- but it's probably useful for you to see as an example.) Zstd compression using ZSTD_compressStream() is pretty straightforward. You'll need to choose a compression level I assume.

Question: does the TLS cert compression run in the Parent Process? (I assume so). Does it ever see arbitrary data under the control of a website? (I assume not -- I imagine it might compress user-supplied certs, which isn't the same thing.)

Thanks!

Flags: needinfo?(rjesup) → needinfo?(nkulatova)

Hi,

I will try to enable zstd as soon as we have the other compression algorithms enabled :)

Flags: needinfo?(nkulatova)
Severity: -- → N/A
Priority: -- → P3
Whiteboard: [necko-triaged]
You need to log in before you can comment on or make changes to this bug.