Summary

Support the TLS Certificate Compression standard (RFC 8879) for zlib compression algorithm. This new feature reduces latency and improve security and performance of TLS 1.3 and QUIC connections.

Problem

For TLS connections, a client must authenticate the identity of the server. This typically involves verification that the identity of the server is included in a certificate and that the certificate is issued by a trusted entity.

Where servers provide certificates for authentication, the size of the certificate chain can consume a large number of bytes. Controlling the size of certificate chains is critical to performance and security. TLS certificate compression has the potential to ameliorate the problems by reducing the size of the handshakes to a size compatible with the security restriction.

Besides, reducing the amount of information exchanged during a TLS handshake to a minimum helps to improve performance in environments, for example Internet of Things, where devices are connected to a network with a low bandwidth and lossy radio technology.

Importance of Certificate Compression for QUIC

Certificate compression was first introduced in the experimental Google QUIC (gQUIC) protocol, but current QUIC spec doesn't mention it. It delegates this functionality to the TLS 1.3 layer. This extension is critical for QUIC because:

• Anti-Amplification Limits: QUIC servers are restricted by a "3x amplification limit," meaning they cannot send more than three times the data they have received from an unverified client.
• Single-Flight Handshakes: Large, uncompressed certificate chains often exceed this limit, forcing an additional round trip (RTT) that negates QUIC's low-latency benefits.

Limitations

• Mostly the certificate's metadata is being compressed, the keys are high-entropy data difficult to compress.
• ML-DSA certificates don’t compress well, most likely because of lower metadata size to key size ratio.
• Only zlib compression algorithm, which is internally implemented by OpenJDK, to be supported. brotli and zstd compression algorithms currently are not supported, but may be supported in the future.

Solution

Implement certificate compression in TLS 1.3 using internally supported ZLIB compression algorithm.

Specification

1. Introduce new SSLParameters certificate compression API:

--- a/src/java.base/share/classes/javax/net/ssl/SSLParameters.java
+++ b/src/java.base/share/classes/javax/net/ssl/SSLParameters.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2026, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -86,6 +86,7 @@ public class SSLParameters {
     private String[] applicationProtocols = new String[0];
     private String[] signatureSchemes = null;
     private String[] namedGroups = null;
+    private boolean enableCertificateCompression = true;

     /**
      * Constructs SSLParameters.
@@ -94,8 +95,8 @@ public class SSLParameters {
      * constraints, endpoint identification algorithm, signature schemes,
      * server names and server name matchers are set to {@code null};
      * useCipherSuitesOrder, wantClientAuth and needClientAuth are set
-     * to {@code false}; enableRetransmissions is set to {@code true};
-     * maximum network packet size is set to {@code 0}.
+     * to {@code false}; enableRetransmissions and enableCertificateCompression
+     * are set to {@code true}; maximum network packet size is set to {@code 0}.
      */
     public SSLParameters() {
         // empty
@@ -960,4 +961,45 @@ public void setNamedGroups(String[] namedGroups) {

         this.namedGroups = tempGroups;
     }
+
+    /**
+     * Sets whether TLS certificate compression should be enabled.
+     * This method only applies to TLSv1.3.
+     *
+     * @apiNote The peer must support compress_certificate extension and
+     * compression format in order for certificate compression to work.
+     *
+     * @implNote The SunJSSE provider only supports zlib compression.
+     * Other JSSE providers may not support this method.
+     *
+     * @spec https://www.rfc-editor.org/info/rfc8879
+     * RFC 8879: TLS Certificate Compression
+     *
+     * @param   enableCertificateCompression
+     *          {@code true} indicates that TLS certificate compression
+     *          should be enabled; {@code false} indicates that TLS certificate
+     *          compression should be disabled
+     *
+     * @see     #getEnableCertificateCompression()
+     *
+     * @since 27
+     */
+    public void setEnableCertificateCompression(
+            boolean enableCertificateCompression) {
+        this.enableCertificateCompression = enableCertificateCompression;
+    }
+
+    /**
+     * Returns whether TLS certificate compression should be enabled.
+     * This method only applies to TLSv1.3.
+     *
+     * @return  true, if TLS certificate compression should be enabled
+     *
+     * @see     #setEnableCertificateCompression(boolean)
+     *
+     * @since 27
+     */
+    public boolean getEnableCertificateCompression() {
+        return this.enableCertificateCompression;
+    }
 }

2. Introduce jdk.tls.enableCertificateCompression System property which can be set to either true or false. Default is true. This property is the default SSL configuration value, it will be overridden by SSLParameters if those are set programatically.