Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does Botan support enabling certificate compression in TLS? #4425

Open
shilohshi opened this issue Nov 5, 2024 · 3 comments
Open

Does Botan support enabling certificate compression in TLS? #4425

shilohshi opened this issue Nov 5, 2024 · 3 comments
Labels
enhancement Enhancement or new feature

Comments

@shilohshi
Copy link

Hi, I would like to inquire whether Botan supports enabling certificate compression in TLS (for example, as described in https://datatracker.ietf.org/doc/html/rfc8879#name-compression-algorithms). If it does support this feature, is there a parameter available during server deployment to control it? Thank you!

@randombit randombit added the enhancement Enhancement or new feature label Nov 5, 2024
@randombit
Copy link
Owner

No, this is not supported currently

@shilohshi
Copy link
Author

Thank you for your response.

@reneme
Copy link
Collaborator

reneme commented Nov 7, 2024

RFC 8879 essentially adds two extensions, one to negotiate certificate compression and another one to encapsulate the encoded (and compressed) "Certificate" message. As per the RFC 8879, compression may be performed using zlib, zstd or brotli. Note that this is explicitly supported in TLS 1.3 only.

Given that Botan already has an integration with zlib, it should be relatively straight-forward to add support for RFC 8879, at least using zlib for the compression. The "CompressedCertificate" message takes the place of the conventional (uncompressed) "Certifcate" message. This requires a change in TLS 1.3's state machine, which would likely be the most critical modification required.

Further, one would need to add a few customization points, along these lines:

  • std::vector<TLS::CompressionAlgorithm> TLS::Policy::supported_certificate_compression_algorithms()
  • std::optional<TLS::CompressionAlgorithm> TLS::Policy::choose_certificate_compression_algorithm(std::span<const TLS::CompressionAlgorithm> from_peer)

And (if we wanted to support user-defined compression algorithms), the actual compression should be wrapped into callbacks:

  • std::vector<uint8_t> TLS::Callbacks::tls_compress_certificate_message(TLS::CompressionAlgorithm algorithm, std::span<const uint8_t> encoded_certificate_message)
  • std::vector<uint8_t> TLS::Callbacks::tls_decompress_certificate_message(TLS::CompressionAlgorithm algorithm, std::span<const uint8_t> compressed_certificate_message, size_t expected_uncompressed_size)

Support should be implemented for both the client and server side.

Note that the boringssl test suite also provides tests for certificate compression that should be enabled (and passed, obviously).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Enhancement or new feature
Projects
None yet
Development

No branches or pull requests

3 participants