Update cert compression reporting#13197
Open
bneradt wants to merge 1 commit into
Open
Conversation
bneradt
added
TLS
Tests
Build
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adjusts how ATS reports and enables TLS certificate compression (RFC 8879) when OpenSSL exposes the preference API but has built-in compression algorithms disabled (e.g., Fedora 44). It refines feature reporting to reflect usable algorithms, rejects disabled algorithms during configuration, and only runs the metric-based AuTest when ATS owns the compression callbacks.
Changes:
- Add finer-grained
traffic_layoutfeature flags for certificate compression callbacks and per-algorithm availability, and computeTS_HAS_CERT_COMPRESSIONfrom usable algorithms. - Update certificate compression registration logic to treat algorithms as available/unavailable (e.g., based on
OPENSSL_NO_*) and reject unavailable algorithms. - Update the gold test to skip unless ATS has cert compression callbacks (so metrics-based verification is meaningful).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
tests/gold_tests/tls/tls_cert_comp.test.py |
Skip the cert-compression metrics test unless ATS owns the compression callbacks. |
src/traffic_layout/info.cc |
Report cert-compression support based on usable algorithms; add new feature flags for callbacks and per-algorithm availability. |
src/iocore/net/TLSCertCompression.cc |
Track algorithm availability and reject disabled algorithms when configuring cert compression preferences. |
bneradt
force-pushed
the
fedora-44-cert-compression-gate
branch
from
83da9a5 to
143dfd5
Compare
bneradt
force-pushed
the
fedora-44-cert-compression-gate
branch
2 times, most recently
from
35704b9 to
7545cb6
Compare
bneradt
changed the title
bneradt
force-pushed
the
fedora-44-cert-compression-gate
branch
from
7545cb6 to
92e5894
Compare
bneradt
force-pushed
the
fedora-44-cert-compression-gate
branch
from
92e5894 to
1ae1594
Compare
bneradt
changed the title
bneradt
force-pushed
the
fedora-44-cert-compression-gate
branch
from
1ae1594 to
5a3e3f9
Compare
maskit
reviewed
May 26, 2026
| Dbg(dbg_ctl_ssl_cert_compress, "Unrecognized algorithm: %s", alg.c_str()); | ||
| return 0; | ||
| } | ||
| if (!info->available) { |
Member
There was a problem hiding this comment.
This line is gated by HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG, so this condition is always false, unnecessary.
maskit
reviewed
May 26, 2026
maskit
requested changes
May 26, 2026
Member
maskit
left a comment
maskit
left a comment
There was a problem hiding this comment.
Looks like the code is overcomplicated. I don't see the necessity of available flag.
Some OpenSSL builds expose certificate-compression preference APIs while disabling the built-in compression algorithms. In that shape, ATS reported cert compression support based on API availability even though configured algorithms could not actually run. This reports certificate-compression support from the algorithms ATS can use in the selected OpenSSL API path, and skips the callback-only AuTest unless callbacks are available. This also makes the supported algorithm table contain only usable entries, so configuration fails cleanly when an unavailable algorithm is requested.
bneradt
force-pushed
the
fedora-44-cert-compression-gate
branch
from
5a3e3f9 to
7eda99d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Some OpenSSL builds expose certificate-compression preference APIs while
disabling the built-in compression algorithms. In that shape, ATS reported
cert compression support based on API availability even though configured
algorithms could not actually run.
This reports certificate-compression support from the algorithms ATS can use
in the selected OpenSSL API path, and skips the callback-only AuTest unless
callbacks are available. This also makes the supported algorithm table
contain only usable entries, so configuration fails cleanly when an
unavailable algorithm is requested.