Enable compression in OpenSSL and add opt-in certificate compression support for TLS connections by pimterry · Pull Request #62217 · nodejs/node

pimterry · 2026-03-11T20:28:53Z

EDIT: This diff size looks scary, but the vast majority is autogenerated from the build config update. Changes are now split into separate commits, all the auto-generated output is now in the 3rd commit, so the other parts can be reviewed more easily.

Until now, we've fully disabled all compression features in OpenSSL via no-comp. This PR:

Removes no-comp from our OpenSSL build, so we can use some compression features. This is required because OPENSSL_NO_COMP implies OPENSSL_NO_COMP_ALG, which disables certificate compression.
Links in our existing zlib, brotli & zstd implementations for the compression itself.
Adds a certificateCompression option for TLS contexts, exposing the OpenSSL API for certificate compression, defaulting to disabled (i.e. no visible change). We might want to enable this by default in future but we can debate that separately, no need to do so immediately I think. The new API throws an error if a non-empty option is passed when using a shared OpenSSL without compression support.

There's a lot of changes here but the vast majority (everything in deps/openssl/config/archs) are auto-generated based on the OpenSSL config changes and the actual source changes are quite simple.

This is my first time touching the OpenSSL dep setup directly, so hopefully I've rebuilt it correctly! Extra eyes there very helpful. Notably you can't actually rebuild directly on main via make gen-openssl right now, because /deps/openssl/openssl/test/ doesn't exist (removed since #57835). That's fine for OpenSSL dep updates (which pull the whole tree anyway) but it breaks simple regeneration. I just manually included the test dir locally, which seems to have rebuilt OK without changes. I'll open a separate PR to fix that properly later, but there's too many conflicts with the changes in here to open that at the same time. I've now added a commit to fix this here, adding no-tests to the OpenSSL config, you can now run make gen-openssl to regenerate manually and (nearly, except various timestamps) reproduce this commit yourself.

There's also a small test change required to the config for 3 unusual addon tests: on Mac only, directly linked our internal libopenssl.a into a shared library, without the rest of Node, which no longer works (because OpenSSL now references the compression libs). I don't think this is sensible or supported approach, I can't find any examples of this anywhere else, and these tests cover a feature (OpenSSL custom engines) which is deprecated and will be removed in OpenSSL v4 anyway. A small config change here updates them to instead dynamically look up symbols which should give the same result without issues.

Upsides:

This reduces certificate transfer size in handshakes significantly. In the example in the tests, total TLS handshake bytes shrinks 50%, even in minimal examples it should still be 15% or so.
That effect will get more significant in future with larger post-quantum certs and similar.
We'll probably want to enable this anyway for QUIC eventually, as limits there mean larger handshakes are a significant performance issue. I'm not an expert but my understanding: in TCP servers can generally send a 14KB response before hitting TCP congestion windows and waiting for a client ack. QUIC amplification protection meanwhile effectively gives a 3.6KB window until response, much smaller, and a server handshake message larger than that delays the whole connection setup for an extra RTT. That limit is very tight so compression is necessary to avoid extra RTs for many connections.
Reduces fingerprintability of Node.js traffic: all browser clients include the certificate compression extension in TLS client hellos, while Node does not, making TLS connections from Node trivially recognizable (so this helps support user-space solutions to Provide APIs to help control TLS fingerprints #41112).

Binary size

Since the compression libraries are already included in Node anyway, this is minimal: a standard Node build on my machine is 131MB, and increases 40KB (0.03%) with this addition.

Compression risks in TLS e.g. CRIME

No-comp was originally here in part to disable TLS record compression (compression during the connection itself, broken by CRIME). In this PR we're not enabling that, we're enabling certificate compression (how certs are transferred during the initial handshake only). There's no known vulnerabilities around certificate compression itself AFAIK, and it's enabled in all modern browsers and user-facing backends like NGINX, HAProxy, Envoy, etc so seems like a safe bet. This PR also keeps it disabled by default - it just becomes optionally available.

Record compression here is not enabled by this change, despite removing no-comp. It's independently disabled in many other ways:

OpenSSL disables record compression on all new contexts by default, unless explicitly enabled:

node/deps/openssl/openssl/ssl/ssl_lib.c

Lines 4207 to 4215 in 2b74812

    
               /* 
        
                * Disable compression by default to prevent CRIME. Applications can 
        
                * re-enable compression by configuring 
        
                * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION); 
        
                * or by using the SSL_CONF library. Similarly we also enable TLSv1.3 
        
                * middlebox compatibility by default. This may be disabled by default in 
        
                * a later OpenSSL version. 
        
                */ 
        
               ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;

(AFAICT we don't expose any capability to reset this option).

OpenSSL additionally fully disallows all use of record compression with security level 2+ anyway (our default from v24.5/v25+).

We independently disable all record compression options here:

node/src/crypto/crypto_util.cc

Lines 165 to 167 in 2b74812

    
           // Turn off compression. Saves memory and protects against CRIME attacks. 
        
           // No-op with OPENSSL_NO_COMP builds of OpenSSL. 
        
           sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());

Record compression was completely removed from the protocol for TLS v1.3, so should be impossible to negotiate there in all scenarios even if we really really wanted to.

Removing it completely from the OpenSSL build as well was a nice extra protection, but it's not strictly required and blocks other unrelated TLS compression features.

nodejs-github-bot · 2026-03-11T20:29:01Z

Review requested:

@nodejs/gyp
@nodejs/security-wg

pimterry · 2026-03-12T13:15:28Z

Review from @nodejs/crypto also helpful. Although this is a deps change, it's primarily a TLS feature.

As noted in the description: the number of changes files is intimidating, but the vast vast majority are autogenerated updates! It's actually a fairly reasonable changeset 😄

aduh95 · 2026-03-12T16:11:17Z

Could you split the deps/ changes to a separate commit so it's easier to review please?

pimterry · 2026-03-12T17:27:46Z

@aduh95 Good idea. Now split into three commits: the first reconfigures the OpenSSL build, the 2nd contains all the auto-generated output from that, the 3rd contains the Node changes which use this to enable cert compression.

pimterry · 2026-03-26T13:05:27Z

It would be great to keep this moving, as it's going to have some large & painful conflicts to resolve if there are any other OpenSSL changes in the meantime. Cert compression has some nice benefits, I'd love to get the option in for v26 next month.

Any other reviews from @nodejs/crypto or maybe @nodejs/net?

panva · 2026-03-26T13:51:46Z

@pimterry this is not part of crypto that i can provide feedback/review for. Sorry.

pimterry · 2026-05-22T09:37:02Z

Now updated. I've:

Added a commit which adds no-tests to the OpenSSL build config. Without this, make gen-openssl fails on main - it only works during the process of a full OpenSSL update, because we git ignore the tests afterwards. No downside to this I think - it's just skipping configuring test code builds that we don't use.
Rebuilt the OpenSSL sources.
Rebased & squashed the cert compression commit
Updated the intermediate change messages to fixup! and added the rebase label, to land the TLS & deps changes as separate lines in the changelog.

That means there's 4 commits to review:

Enabling compression in OpenSSL build config (50 line change)
(as a fixup) Adding no-tests to OpenSSL build config (2 line change)
(as a fixup) Rebuilding OpenSSL (many thousands of lines - but reproducible with make gen-openssl)
Exposing a new certificateCompression option for TLS (a couple of hundred lines)

@jasnell can you take a look at this? This is useful for TLS generally, but specifically solves the large certificates problem for QUIC you're listing in the docs, by enabling certificate compression so we can avoid handshake round trips. This has been sat open for a while, but worth prioritising for QUIC imo. Disabled by default here for normal TLS so it's optional & definitely non-breaking, but once it's merged we could test out enabling it by default in QUIC contexts.

jasnell · 2026-05-22T13:47:14Z

Yeah, I've been meaning to come back to this. Record-level compression has long been actively problematic due to CRIME and similar types of exploits. Certificate-compression should be fine but last I checked openssl was gating both behind the same flag. As long as we're certain that enabling this won't accidentally enable record-level compression, then I'm all for it.

Fix OpenSSL rebuilds with 'no-tests' We don't include the tests in our tree (git ignored) so running `make gen-openssl` failed on a fresh checkout - it only worked when pulling in a whole new OpenSSL tree during OpenSSL updates (not config changes). We now skip building OpenSSL's tests entirely, which cleans that up and avoids unnecessary work during OpenSSL updates (since we don't actually use these tests anywhere).

Rebuild OpenSSL using new config

This changes enables compression within OpenSSL *without* enabling record compression, so this only affects compression of certificates delivered within the TLS handshake. This certificate compression remains disabled by default for now, but becomes available via the new certificateCompression option in TLS context APIs. Enabling this shrinks handshakes significantly, and also reduces fingerprintability of Node.js client handshakes, as these are enabled in all modern browsers by default.

Address various review comments: * Pack compression args into a uint32 instead of transferring as a full string[]. * Reject compression settings if TLS 1.3 is excluded. * Use a constant for 'compress with all algorithms' arg * Use RAII for compressed cert data * Add tests to verify we reject large certs and that *record* compression is not enabled. Signed-off-by: Tim Perry <pimterry@gmail.com>

nodejs-github-bot · 2026-06-17T22:09:25Z

CI: https://ci.nodejs.org/job/node-test-pull-request/74220/

Fix the shared lib tests. This adds a new tls.getCertificateCompressionAlgorithms() method to detect support and specific compression algorithm availability, and then uses this in the tests to skip algorithms (or the entire test) that aren't available. We also skip the large cert test if OpenSSL isn't available either. Lastly, we change the internal macros used to detect support to check the OpenSSL version range as well - old OpenSSL doesn't support it at all, so doesn't set OPENSSL_NO_COMP_ALG even though they're not available.

nodejs-github-bot · 2026-06-18T00:12:01Z

CI: https://ci.nodejs.org/job/node-test-pull-request/74221/

Drop openssl from the tests entirely, and change build config to not include the various compression libraries if we're configured to use shared libs instead.

nodejs-github-bot · 2026-06-18T10:01:36Z

CI: https://ci.nodejs.org/job/node-test-pull-request/74231/

nodejs-github-bot · 2026-06-18T11:43:29Z

CI: https://ci.nodejs.org/job/node-test-pull-request/74232/

pimterry · 2026-06-18T15:43:26Z

Thanks for the review @anonrig! Super helpful to get this moving.

It's now run through CI - a last couple of fixes required there:

The shared lib tests for old OpenSSL failed (we needed a version check in addition to ifndef OPENSSL_NO_COMP_ALG)
The changed config broke the setup for shared zlib as well: we now include compression libs only if not shared, and there's a new tls.getCertificateCompressionAlgorithms() which lists what's supported, which helpfully also lets us gate the tests on compression algo support.
The alpine builds failed due to the use of openssl in one of the tests - we now have a pure JS solution to do the same thing.

CI is now all passing, it just needs one approve on the latest changes and then this is good to merge 🙏

jasnell · 2026-06-19T05:32:59Z

+  bool HasCertCompression() const {
+    return cert_comp_prefs_len_ > 0;
+  }
+  int* CertCompPrefs() {


Not a huge fan of returning a raw pointer like this.

This is a fair point. I would tidy it up, but this PR has been stuck for 3 months already and every conflict & rebase & rebuild loop is a pain, so I'd really really rather not go another round. It's approved & green, so I'm going to merge for now. It could be tidier, agreed, but I'm pretty confident there's not an actual issue here.

I'll add this to my list to tidy up later (you'll be unsurprised and hopefully only mildly concerned to hear I have some ideas for TLS API improvements for QUIC on my list too, which will involve poking at some other TLS bits & pieces soon anyway).

nodejs-github-bot · 2026-06-19T13:50:53Z

Commit Queue failed

- Loading data for nodejs/node/pull/62217 ✔ Done loading data for nodejs/node/pull/62217 ----------------------------------- PR info ------------------------------------ Title Enable compression in OpenSSL and add opt-in certificate compression support for TLS connections (#62217) ⚠ Could not retrieve the email or name of the PR author's from user's GitHub profile! Branch pimterry:openssl-compression -> nodejs:main Labels semver-minor, openssl, author ready, needs-ci, review wanted, dependencies, commit-queue-rebase, large-pr Commits 7 - deps: update OpenSSL build config to support compression - fixup! deps: update OpenSSL build config to support compression - fixup! deps: update OpenSSL build config to support compression - tls: add certificateCompression option - fixup! tls: add certificateCompression option - fixup! tls: add certificateCompression option - fixup! tls: add certificateCompression option Committers 1 - Tim Perry <pimterry@gmail.com> PR-URL: https://github.com/nodejs/node/pull/62217 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: James M Snell <jasnell@gmail.com> ------------------------------ Generated metadata ------------------------------ PR-URL: https://github.com/nodejs/node/pull/62217 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: James M Snell <jasnell@gmail.com> -------------------------------------------------------------------------------- ℹ This PR was created on Wed, 11 Mar 2026 20:28:53 GMT ✔ Approvals: 2 ✔ - Yagiz Nizipli (@anonrig) (TSC): https://github.com/nodejs/node/pull/62217#pullrequestreview-4519744354 ✔ - James M Snell (@jasnell) (TSC): https://github.com/nodejs/node/pull/62217#pullrequestreview-4530322558 ✔ Last GitHub CI successful ℹ Last Full PR CI on 2026-06-18T11:43:29Z: https://ci.nodejs.org/job/node-test-pull-request/74232/ - Querying data for job/node-test-pull-request/74232/ ✔ Build data downloaded ✔ Last Jenkins CI successful -------------------------------------------------------------------------------- ✔ No git cherry-pick in progress ✔ No git am in progress ✔ No git rebase in progress -------------------------------------------------------------------------------- - Bringing origin/main up to date... From https://github.com/nodejs/node * branch main -> FETCH_HEAD ✔ origin/main is now up-to-date - Downloading patch for 62217 From https://github.com/nodejs/node * branch refs/pull/62217/merge -> FETCH_HEAD ✔ Fetched commits as 8fa595456943..ffbba49d21f3 -------------------------------------------------------------------------------- [main 39c47151c0] deps: update OpenSSL build config to support compression Author: Tim Perry <pimterry@gmail.com> Date: Thu Mar 12 18:18:22 2026 +0100 8 files changed, 52 insertions(+), 19 deletions(-) [main 946f7b8114] fixup! deps: update OpenSSL build config to support compression Author: Tim Perry <pimterry@gmail.com> Date: Wed Mar 11 20:07:57 2026 +0100 1 file changed, 2 insertions(+), 1 deletion(-) [main 3d44023aaf] fixup! deps: update OpenSSL build config to support compression Author: Tim Perry <pimterry@gmail.com> Date: Thu Mar 12 18:18:56 2026 +0100 342 files changed, 1342430 insertions(+), 1766706 deletions(-) Auto-merging lib/internal/tls/wrap.js [main 338b0aa69c] tls: add certificateCompression option Author: Tim Perry <pimterry@gmail.com> Date: Wed Mar 11 17:20:36 2026 +0100 7 files changed, 368 insertions(+) create mode 100644 test/parallel/test-tls-certificate-compression.js [main bfcb41051e] fixup! tls: add certificateCompression option Author: Tim Perry <pimterry@gmail.com> Date: Tue Jun 2 14:04:48 2026 +0200 3 files changed, 140 insertions(+), 32 deletions(-) Auto-merging lib/tls.js [main ac4a1f1d1c] fixup! tls: add certificateCompression option Author: Tim Perry <pimterry@gmail.com> Date: Thu Jun 18 01:23:27 2026 +0200 7 files changed, 83 insertions(+), 26 deletions(-) [main 078a5f5c95] fixup! tls: add certificateCompression option Author: Tim Perry <pimterry@gmail.com> Date: Thu Jun 18 11:29:04 2026 +0200 2 files changed, 19 insertions(+), 45 deletions(-) ✔ Patches applied There are 7 commits in the PR. Attempting autorebase. (node:648) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated. (Use `node --trace-deprecation ...` to show where the warning was created) Rebasing (2/9) Rebasing (3/9) Rebasing (4/9) Executing: git node land --amend --yes --------------------------------- New Message ---------------------------------- deps: update OpenSSL build config to support compression

PR-URL: #62217
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

[detached HEAD 2141b4a69b] deps: update OpenSSL build config to support compression
Author: Tim Perry <pimterry@gmail.com>
Date: Thu Mar 12 18:18:22 2026 +0100
350 files changed, 1342483 insertions(+), 1766725 deletions(-)
Rebasing (5/9)
Rebasing (6/9)
Rebasing (7/9)
Rebasing (8/9)
Rebasing (9/9)
Executing: git node land --amend --yes
--------------------------------- New Message ----------------------------------
tls: add certificateCompression option

This changes enables compression within OpenSSL without enabling
record compression, so this only affects compression of certificates
delivered within the TLS handshake. This certificate compression remains
disabled by default for now, but becomes available via the new
certificateCompression option in TLS context APIs.

Enabling this shrinks handshakes significantly, and also reduces
fingerprintability of Node.js client handshakes, as these are enabled in
all modern browsers by default.

PR-URL: #62217
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

[detached HEAD 9652050d7a] tls: add certificateCompression option
Author: Tim Perry <pimterry@gmail.com>
Date: Wed Mar 11 17:20:36 2026 +0100
10 files changed, 513 insertions(+), 6 deletions(-)
create mode 100644 test/parallel/test-tls-certificate-compression.js
Successfully rebased and updated refs/heads/main.

✔ 2141b4a69b2437419fd5ed02987b0aed003ffaa4
✔ 0:0 no Assisted-by metadata assisted-by-is-trailer
✔ 0:0 no Co-authored-by metadata co-authored-by-is-trailer
✔ 0:0 skipping fixes-url fixes-url
✔ 0:0 blank line after title line-after-title
✔ 0:0 line-lengths are valid line-length
✔ 0:0 metadata is at end of message metadata-end
✔ 1:8 PR-URL is valid. pr-url
✔ 0:0 reviewers are valid reviewers
✔ 0:0 skipping sign-off for deps commit signed-off-by
✔ 0:0 valid subsystems subsystem
✔ 0:0 Title is formatted correctly. title-format
⚠ 0:50 Title should be <= 50 columns. title-length
✖ 9652050d7ac2fe1e9fc8188a7fd7d4a54179b91c
✔ 0:0 no Assisted-by metadata assisted-by-is-trailer
✔ 0:0 no Co-authored-by metadata co-authored-by-is-trailer
✔ 0:0 skipping fixes-url fixes-url
✔ 0:0 blank line after title line-after-title
✔ 0:0 line-lengths are valid line-length
✔ 0:0 metadata is at end of message metadata-end
✔ 11:8 PR-URL is valid. pr-url
✔ 0:0 reviewers are valid reviewers
✖ 0:0 Commit must have a "Signed-off-by" trailer signed-off-by
✔ 0:0 valid subsystems subsystem
✔ 0:0 Title is formatted correctly. title-format
✔ 0:0 Title is <= 50 columns. title-length

ℹ Please fix the commit message and try again.
Please manually ammend the commit message, by running
git commit --amend
Once commit message is fixed, finish the landing command running
git node land --continue

https://github.com/nodejs/node/actions/runs/27829375354

Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: #62217 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: James M Snell <jasnell@gmail.com>

This changes enables compression within OpenSSL *without* enabling record compression, so this only affects compression of certificates delivered within the TLS handshake. This certificate compression remains disabled by default for now, but becomes available via the new certificateCompression option in TLS context APIs. Enabling this shrinks handshakes significantly, and also reduces fingerprintability of Node.js client handshakes, as these are enabled in all modern browsers by default. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: #62217 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: James M Snell <jasnell@gmail.com>

pimterry · 2026-06-19T14:09:56Z

Landed in 21310cb...e52ec44

nodejs-github-bot added dependencies Pull requests that update a dependency file. needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. labels Mar 11, 2026

pimterry force-pushed the openssl-compression branch 2 times, most recently from 536ac85 to b7d557b Compare March 12, 2026 12:26

pimterry force-pushed the openssl-compression branch from b7d557b to aee82a2 Compare March 12, 2026 17:24

anonrig reviewed Mar 12, 2026

View reviewed changes

Comment thread src/crypto/crypto_context.cc

Comment thread src/crypto/crypto_context.h

addaleax reviewed Mar 13, 2026

View reviewed changes

Comment thread src/crypto/crypto_context.cc Outdated

pimterry added the semver-minor PRs that contain new features and should be released in the next minor version. label Mar 14, 2026

pimterry mentioned this pull request Mar 15, 2026

Provide APIs to help control TLS fingerprints #41112

Open

pimterry requested review from addaleax and anonrig March 17, 2026 10:51

pimterry added the review wanted PRs that need reviews. label Mar 31, 2026

pimterry force-pushed the openssl-compression branch from dc67a6f to 867a64a Compare May 22, 2026 09:27

pimterry added the commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. label May 22, 2026