Add support for ZLIB TLS Certificate Compression

XMLWordPrintable

    • Type: CSR
    • Resolution: Unresolved
    • Priority: P3
    • 27
    • Component/s: security-libs
    • None
    • behavioral
    • low
    • Java API, System or security property

      Summary

      Support the TLS Certificate Compression standard (RFC 8879), which reduces latency and improve security and performance of TLS 1.3 and QUIC connections.

      Problem

      For TLS connections, a client must authenticate the identity of the server. This typically involves verification that the identity of the server is included in a certificate and that the certificate is issued by a trusted entity.

      Where servers provide certificates for authentication, the size of the certificate chain can consume a large number of bytes. Controlling the size of certificate chains is critical to performance and security in QUIC. TLS certificate compression has the potential to ameliorate the problems by reducing the size of the handshakes to a size compatible with the security restriction.

      Besides, reducing the amount of information exchanged during a TLS handshake to a minimum helps to improve performance in environments, for example Internet of Things, where devices are connected to a network with a low bandwidth and lossy radio technology.

      This feature is a part to improve the performance of TLS connections, and it is also a part of the path towards QUIC standards.

      Solution

      Implement certificate compression in TLS 1.3 using internally supported ZLIB compression algorithm.

      Specification

      --- a/src/java.base/share/classes/javax/net/ssl/SSLParameters.java
+++ b/src/java.base/share/classes/javax/net/ssl/SSLParameters.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2026, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -86,6 +86,7 @@ public class SSLParameters {
     private String[] applicationProtocols = new String[0];
     private String[] signatureSchemes = null;
     private String[] namedGroups = null;
+    private boolean enableCertificateCompression = true;

     /**
      * Constructs SSLParameters.
@@ -94,8 +95,8 @@ public class SSLParameters {
      * constraints, endpoint identification algorithm, signature schemes,
      * server names and server name matchers are set to {@code null};
      * useCipherSuitesOrder, wantClientAuth and needClientAuth are set
-     * to {@code false}; enableRetransmissions is set to {@code true};
-     * maximum network packet size is set to {@code 0}.
+     * to {@code false}; enableRetransmissions and enableCertificateCompression
+     * are set to {@code true}; maximum network packet size is set to {@code 0}.
      */
     public SSLParameters() {
         // empty
@@ -960,4 +961,46 @@ public void setNamedGroups(String[] namedGroups) {

         this.namedGroups = tempGroups;
     }
+
+    /**
+     * Sets whether TLS certificate compression should be enabled.
+     * This method only applies to TLSv1.3.
+     *
+     * @apiNote The peer needs to support the underlying extension
+     * and compression format in order for certificate compression
+     * to work.
+     *
+     * @implNote The SunJSSE provider supports only zlib compression.
+     * Other JSSE providers may not support this method.
+     *
+     * @spec https://www.rfc-editor.org/info/rfc8879
+     * RFC 8879: TLS Certificate Compression
+     *
+     * @param   enableCertificateCompression
+     *          {@code true} indicates that TLS certificate compression
+     *          should be enabled; {@code false} indicates that TLS certificate
+     *          compression should be disabled
+     *
+     * @see     #getEnableCertificateCompression()
+     *
+     * @since 27
+     */
+    public void setEnableCertificateCompression(
+            boolean enableCertificateCompression) {
+        this.enableCertificateCompression = enableCertificateCompression;
+    }
+
+    /**
+     * Returns whether TLS certificate compression should be enabled.
+     * This method only applies to TLSv1.3.
+     *
+     * @return  true, if TLS certificate compression should be enabled
+     *
+     * @see     #setEnableCertificateCompression(boolean)
+     *
+     * @since 27
+     */
+    public boolean getEnableCertificateCompression() {
+        return this.enableCertificateCompression;
+    }

      Also introduce jdk.tls.enableCertificateCompression System property which can be set to either true or false. Default is true.

            Assignee:
            Artur Barashev
            Reporter:
            Artur Barashev
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated: