Hi, disclaimer: i am fairly new to this community and if this is already discussed, please bash me for not searching the archive.
I am curious to know if there is performance benchmark done with and without zlib compression. I am trying to understand the usecases where this makes sense and where it does not. Regards, Rohit -----Original message----- From: Dr. Stephen Henson Sent: 17/01/2012, 6:10 pm To: openssl-users@openssl.org Subject: Re: About compression in SSL. On Tue, Jan 17, 2012, nilesh wrote: > On Tuesday 17 January 2012 04:46 PM, t...@terralogic.net wrote: > >I would want to double check this. The APACHE docs found here state the > >following: > > > >http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html > > > >"How do I get SSL compression working? > > > >Although SSL compression negotiation was defined in the specification of > >SSLv2 and TLS, it took until May 2004 for RFC 3749 to define DEFLATE as a > >negotiable standard compression method. > > > >OpenSSL 0.9.8 started to support this by default when compiled with the zlib > >option. If both the client and the server support compression, it will be > >used. However, most clients still try to initially connect with an SSLv2 > >Hello. As SSLv2 did not include an array of prefered compression algorithms > >in its handshake, compression cannot be negotiated with these clients. If > >the client disables support for SSLv2, either an SSLv3 or TLS Hello may be > >sent, depending on which SSL library is used, and compression may be set up. > >You can verify whether clients make use of SSL compression by logging the > >%{SSL_COMPRESS_METHOD}x variable. > > > I checked into the library that I am using - libcrypto.so.0.9.8 and > the BIO_f_zlib() function is on. > So looks like it is compiled with zlib, but I still do not see the > compression algorithm. > Looks like it mostly relies on the application level compression > than SSL layer. > http://www.belshe.com/2010/11/18/ssl-compression-and-you/ > If it is supported by both sides it should automatically be used. If you have BIO_f_zlib() it should include compression support (though the SSL/TLS code doesn't use BIO_f_zlib itself). To test this in OpenSSL 0.9.8 try connecting to s_server using s_client with the command line switch -no_ssl2 . If you are using OpenSSL 1.0.0 or later you don't need this switch as it doesn't use SSLv2 client hellos by default. The output should indicate that zlib compression is being used. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
