From 51cd687fc8b700d608f5e4e57ebcd66b533d514d Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Sun, 12 Jul 2026 17:51:58 +0000 Subject: [PATCH] quic: add support for TLS certificate compression Signed-off-by: Sebastian Beltran --- doc/api/quic.md | 38 +++++- lib/internal/quic/quic.js | 42 +++++++ src/quic/bindingdata.h | 1 + src/quic/tlscontext.cc | 53 ++++++++- src/quic/tlscontext.h | 10 ++ .../test-quic-certificate-compression.mjs | 112 ++++++++++++++++++ 6 files changed, 251 insertions(+), 5 deletions(-) create mode 100644 test/parallel/test-quic-certificate-compression.mjs diff --git a/doc/api/quic.md b/doc/api/quic.md index a19ff2befb5731..23dca30ae81b21 100644 --- a/doc/api/quic.md +++ b/doc/api/quic.md @@ -137,8 +137,12 @@ To avoid this, servers should use compact certificate chains: large RSA intermediates. The choice of CA directly affects handshake latency. Certificate compression ([RFC 8879][]) can also address this issue by -compressing the certificate chain during the handshake. However, Node.js does -not currently support TLS certificate compression. +compressing the certificate chain during the handshake, often keeping the +server's Certificate message within the amplification limit and avoiding the +extra round trip. Certificate compression is opt-in via the +[`certificateCompression`][] TLS option and is disabled by default. When +enabled, it applies to both the server's certificate and, for mutual TLS, +the client's certificate. ### Rate limiting @@ -2918,6 +2922,34 @@ added: v23.8.0 The TLS certificates to use for client sessions. For server sessions, certificates are specified per-identity in the [`sessionOptions.sni`][] map. +#### `sessionOptions.certificateCompression` + + + +* Type: {string\[]} One or more of `'zlib'`, `'brotli'`, or `'zstd'`, in + preference order. + +Enables TLS certificate compression ([RFC 8879][]) for this session. When +omitted, certificate compression is disabled. + +On the server side, the certificate chain is compressed using the first +listed algorithm that the client advertises support for. On the client side, +the listed algorithms are advertised to the server so that the server may +compress its certificate. When client authentication is in use, the option +also controls compression of the client's certificate. + +Compressing the certificate chain is especially useful for QUIC because it +reduces the size of the server's first flight, which is bounded by the +anti-amplification limit (see [Certificate size and handshake +performance][]). Certificate compression requires TLS 1.3, which QUIC always +uses. + +At most three algorithms may be specified. The option is silently ignored if +Node.js was built against a shared OpenSSL that lacks certificate compression +support. + #### `sessionOptions.ciphers`