[PATCH 0 of 2] certificate compression
Sergey Kandaurov
pluknet at nginx.com
Wed Apr 12 12:55:48 UTC 2023
Notably, long certificate chains are compressed better,
with zlib demonstrating a slightly worse ratio.
no zlib brotli zstd
1 .973 .964 .954
2 .907 .881 .877
3 .877 .853 .849
4 .856 .837 .836
5 .842 .827 .827
6 .835 .821 .822
Further, using ECDSA certificates (which itself produces Certificate
TLS messages of a smaller size compared to RSA, apparently due to
"using keys with small public key representations" (c) RFC 9001)
allows to achieve better compression results.
Applied to QUIC handshake, this may conserve an additional round trip
when using long certificate chains with a not yet validated address.
Testing on self-signed certificates demonstrates an additional round
trip on a 5th RSA and 11th ECDSA certificate, real results may vary.
=== rsa ===
server datagrams sent w/ compression cert msg ratio
1 1252 177 1252 167 .98
2 1252 865 1252 747 .91
3 1252 1252 369 1252 1252 123 .88
4 1252 1252 1057 1252 1252 672 .86
5 1252 1252 1252 - 561 1252 1252 1210 .84
6 1252 1252 1252 - 1248 1252 1252 1252 - 578 .84
=== ecdsa ===
1 1200 1200 .90
2 1200 1200 .65
3 1252 178 1200 .56
4 1252 470 1200 .51
5 1252 760 1200 .48
6 1252 1053 1252 111 .47
7 1252 1252 158 1252 218 .45
8 1252 1252 450 1252 322 .44
9 1252 1252 740 1252 426 .43
A 1252 1252 1033 1252 529 .42
B 1252 1252 1252 - 139 1252 631 .42
C 1252 1252 1252 - 431 1252 737 .41
Feedback is welcome.
More information about the nginx-devel
mailing list