2039786 - Reduce TLS 1.3 resumption token size

Status: NEW

(NSS :: Libraries, enhancement)

Description

[Lars Eggert [:lars]]

Firefox maintains a fixed 8 MB in-process cache for TLS 1.3 resumption tokens. Current NSS tokens are 2–4 KB each (plus Firefox additionally adds 10-15KB of metadata itself), limiting the cache to a few hundred entries and reducing the fraction of connections that can use 0-RTT.

Profiling NSS token hexdumps shows most of the size comes from the leaf certificate DER (1–2.5 KB), SCTs (0–500 B), and the opaque server ticket (0.5–2 KB). Beyond those genuine costs, the v2 format also serializes fields that are either overwritten unconditionally on import (lastAccessTime, sessionID[]) or never consulted on the external-cache path (addr, port, peerID, localCert, masterValid) — roughly 75 B of dead weight per token. NSS also does not compress the cert chains, which could save hundreds of more bytes per token blob.

Comment 1

[Lars Eggert [:lars]]

Attachment: Bug 2039786 - TLS 1.3 resumption token: remove dead fields r=nkulatova,mt,keeler,#nss-reviewers

Bumps SSLResumptionTokenVersion to 3 with two changes:

1. Dead-weight removal: drops fields that are overwritten or unused on
   the external-cache import path (lastAccessTime, sessionID, addr,
   port, peerID, localCert, masterValid) and shrinks the peerCert
   length prefix from 3 to 2 bytes. Saves ~75 B fixed overhead per
   token.

2. Optional compression: adds SSL_SetResumptionTokenCompressionAlgorithm,
   an experimental API mirroring SSL_SetCertificateCompressionAlgorithm.
   When a compressor is registered, the variable-length section (cert,
   OCSP, SCTs, strings) is compressed as a single blob before writing.
   Uncompressed tokens (compressAlgId == 0) are the default; v2 tokens
   are rejected with SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR.