Update cert compression reporting#13197
Open
bneradt wants to merge 1 commit into
Open
Conversation
bneradt
added
TLS
Tests
Build
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adjusts how ATS reports and enables TLS certificate compression (RFC 8879) when OpenSSL exposes the preference API but has built-in compression algorithms disabled (e.g., Fedora 44). It refines feature reporting to reflect usable algorithms, rejects disabled algorithms during configuration, and only runs the metric-based AuTest when ATS owns the compression callbacks.
Changes:
- Add finer-grained
traffic_layoutfeature flags for certificate compression callbacks and per-algorithm availability, and computeTS_HAS_CERT_COMPRESSIONfrom usable algorithms. - Update certificate compression registration logic to treat algorithms as available/unavailable (e.g., based on
OPENSSL_NO_*) and reject unavailable algorithms. - Update the gold test to skip unless ATS has cert compression callbacks (so metrics-based verification is meaningful).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
tests/gold_tests/tls/tls_cert_comp.test.py |
Skip the cert-compression metrics test unless ATS owns the compression callbacks. |
src/traffic_layout/info.cc |
Report cert-compression support based on usable algorithms; add new feature flags for callbacks and per-algorithm availability. |
src/iocore/net/TLSCertCompression.cc |
Track algorithm availability and reject disabled algorithms when configuring cert compression preferences. |
Comment on lines
+136
to
+138
| if (info == nullptr || !info->available) { | ||
| Dbg(dbg_ctl_ssl_cert_compress, "Unrecognized algorithm: %s", specified_algs[i].c_str()); | ||
| return 0; |
bneradt
force-pushed
the
fedora-44-cert-compression-gate
branch
from
83da9a5 to
143dfd5
Compare
bneradt
force-pushed
the
fedora-44-cert-compression-gate
branch
2 times, most recently
from
35704b9 to
7545cb6
Compare
bneradt
changed the title
bneradt
force-pushed
the
fedora-44-cert-compression-gate
branch
from
7545cb6 to
92e5894
Compare
Comment on lines
+63
to
+80
| #if HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG || (HAVE_SSL_CTX_SET1_CERT_COMP_PREFERENCE && !defined(OPENSSL_NO_ZLIB)) | ||
| static constexpr int ts_has_cert_compression_zlib = 1; | ||
| #else | ||
| static constexpr int ts_has_cert_compression_zlib = 0; | ||
| #endif | ||
|
|
||
| #if (HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG && HAVE_BROTLI_ENCODE_H) || \ | ||
| (HAVE_SSL_CTX_SET1_CERT_COMP_PREFERENCE && !defined(OPENSSL_NO_BROTLI)) | ||
| static constexpr int ts_has_cert_compression_brotli = 1; | ||
| #else | ||
| static constexpr int ts_has_cert_compression_brotli = 0; | ||
| #endif | ||
|
|
||
| #if (HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG && HAVE_ZSTD_H) || (HAVE_SSL_CTX_SET1_CERT_COMP_PREFERENCE && !defined(OPENSSL_NO_ZSTD)) | ||
| static constexpr int ts_has_cert_compression_zstd = 1; | ||
| #else | ||
| static constexpr int ts_has_cert_compression_zstd = 0; | ||
| #endif |
bneradt
force-pushed
the
fedora-44-cert-compression-gate
branch
from
92e5894 to
1ae1594
Compare
bneradt
changed the title
Some OpenSSL 3.2+ builds expose the certificate-compression preference API while compiling out the built-in compression algorithms. The newly updated tools/build_openssl_h3_tools.sh builds an OpenSSL functions like this: it has the compression API without the algorithms for it. Before this patch, ATS reported cert compression support based only on API availability, which caused it to report a feature that is functionally not available if the appropriate compression libraries weren't baked in. This gates certificate-compression feature reporting and algorithm setup on the callbacks and algorithms ATS can actually use.
bneradt
force-pushed
the
fedora-44-cert-compression-gate
branch
from
1ae1594 to
5a3e3f9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Some OpenSSL 3.2+ builds expose the certificate-compression preference
API while compiling out the built-in compression algorithms. The newly
updated tools/build_openssl_h3_tools.sh builds an OpenSSL functions like
this: it has the compression API without the algorithms for it. Before
this patch, ATS reported cert compression support based only on API
availability, which caused it to report a feature that is functionally
not available if the appropriate compression libraries weren't baked in.
This gates certificate-compression feature reporting and algorithm setup
on the callbacks and algorithms ATS can actually use.