ssl-certificate-compression #
TLS certificate compression (RFC 8879), enabled by the `ssl-cert-compression.patch` core patch. OpenSSL 3.2+/4.0 implements brotli/zlib/zstd certificate compression internally; the patch adds the companion `ssl_certificate_compression_algorithms` directive (http / stream / mail) so the operator can restrict and reorder which algorithms are offered, on top of the upstream on/off `ssl_certificate_compression` switch. The certificate chain is compressed once at startup and cached, so there is no per-handshake cost. Requires openssl-nginx built with `enable-brotli` / `enable-zstd` for those algorithms.
Source: our fork on GitHub
Directives
ssl_certificate_compression #
syntax: ssl_certificate_compression on | off · default: ssl_certificate_compression off · context: http, server, stream, mail
Upstream on/off switch that enables TLS certificate compression. When on, the server offers a compressed certificate chain to clients that advertise RFC 8879 support.
ssl_certificate_compression_algorithms #
syntax: ssl_certificate_compression_algorithms brotli | zlib | zstd ... · default: (all algorithms the OpenSSL build supports, brotli preferred) · context: http, server, stream, mail
Restricts and reorders the certificate-compression algorithms the server offers, via SSL_CTX_set1_cert_comp_preference(). The order given is the preference order. Ignored (with a warning) when ssl_certificate_compression is off; brotli/zstd require an openssl-nginx built with enable-brotli / enable-zstd.
Example
server {
listen 443 ssl;
ssl_certificate /etc/ssl/site.crt;
ssl_certificate_key /etc/ssl/site.key;
# Compress the certificate chain (RFC 8879), brotli first
ssl_certificate_compression on;
ssl_certificate_compression_algorithms brotli zlib zstd;
}