tls: add certificateCompression option

This changes enables compression within OpenSSL *without* enabling
record compression, so this only affects compression of certificates
delivered within the TLS handshake. This certificate compression remains
disabled by default for now, but becomes available via the new
certificateCompression option in TLS context APIs.

Enabling this shrinks handshakes significantly, and also reduces
fingerprintability of Node.js client handshakes, as these are enabled in
all modern browsers by default.

Author: pimterry

deps/openssl/config/Makefile

@@ -21,11 +21,17 @@ CC = gcc
 FAKE_GCC = ../config/fake_gcc.pl
 
 CONFIGURE = ./Configure
-# no-comp: against CRIME attack
 # no-shared: openssl-cli needs static link
 # no-afalgeng: old Linux kernel < 4.0 does not support it
 # enable-ssl-trace: cause the optional SSL_trace API to be built
-COPTS =  no-comp no-shared no-afalgeng enable-ssl-trace enable-fips
+# zlib/brotli/zstd: enable compression libraries for TLS certificate
+#   compression (RFC 8879). Record compression remains disabled at runtime
+#   via SSL_OP_NO_COMPRESSION and sk_SSL_COMP_zero() in crypto_util.cc.
+#   Include paths point to Node's bundled deps (relative to openssl/).
+COPTS =  no-shared no-afalgeng enable-ssl-trace enable-fips \
+         zlib --with-zlib-include=../../zlib \
+         enable-brotli --with-brotli-include=../../brotli/c/include \
+         enable-zstd --with-zstd-include=../../zstd/lib
 
 # disable platform check in Configure
 NO_WARN_ENV = CONFIGURE_CHECKER_WARN=1

deps/openssl/config/archs/BSD-x86/asm/configdata.pm

@@ -112,6 +112,7 @@ our %config = (
         "crypto/dso/build.info",
         "crypto/engine/build.info",
         "crypto/err/build.info",
+        "crypto/comp/build.info",
         "crypto/http/build.info",
         "crypto/ocsp/build.info",
         "crypto/cms/build.info",
@@ -189,9 +190,7 @@ our %config = (
         "OPENSSL_THREADS",
         "OPENSSL_NO_AFALGENG",
         "OPENSSL_NO_ASAN",
-        "OPENSSL_NO_BROTLI",
         "OPENSSL_NO_BROTLI_DYNAMIC",
-        "OPENSSL_NO_COMP",
         "OPENSSL_NO_CRYPTO_MDEBUG",
         "OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE",
         "OPENSSL_NO_DEMOS",
@@ -221,9 +220,7 @@ our %config = (
         "OPENSSL_NO_UPLINK",
         "OPENSSL_NO_WEAK_SSL_CIPHERS",
         "OPENSSL_NO_WINSTORE",
-        "OPENSSL_NO_ZLIB",
         "OPENSSL_NO_ZLIB_DYNAMIC",
-        "OPENSSL_NO_ZSTD",
         "OPENSSL_NO_ZSTD_DYNAMIC",
         "OPENSSL_NO_DYNAMIC_ENGINE"
     ],
@@ -232,17 +229,22 @@ our %config = (
     ],
     "openssl_sys_defines" => [],
     "openssldir" => "",
-    "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
+    "options" => "enable-ssl-trace enable-fips enable-zlib --with-zlib-include=../../zlib enable-brotli --with-brotli-include=../../brotli/c/include enable-zstd --with-zstd-include=../../zstd/lib no-afalgeng no-asan no-brotli-dynamic no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib-dynamic no-zstd-dynamic",
     "patch" => "5",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
     "perlargv" => [
-        "no-comp",
         "no-shared",
         "no-afalgeng",
         "enable-ssl-trace",
         "enable-fips",
+        "zlib",
+        "--with-zlib-include=../../zlib",
+        "enable-brotli",
+        "--with-brotli-include=../../brotli/c/include",
+        "enable-zstd",
+        "--with-zstd-include=../../zstd/lib",
         "BSD-x86"
     ],
     "perlenv" => {
@@ -320,16 +322,23 @@ our %target = (
     "cflags" => "-pthread",
     "cppflags" => "-D_THREAD_SAFE -D_REENTRANT",
     "defines" => [
-        "OPENSSL_BUILDING_OPENSSL"
+        "OPENSSL_BUILDING_OPENSSL",
+        "BROTLI",
+        "ZLIB",
+        "ZSTD"
     ],
     "disable" => [],
     "dso_ldflags" => "-Wl,-z,defs",
     "dso_scheme" => "dlfcn",
     "enable" => [
         "devcryptoeng"
     ],
-    "ex_libs" => "-pthread",
-    "includes" => [],
+    "ex_libs" => "-lz -lbrotlienc -lbrotlidec -lbrotlicommon -lm -lzstd -pthread",
+    "includes" => [
+        "../../brotli/c/include",
+        "../../zlib",
+        "../../zstd/lib"
+    ],
     "lflags" => "",
     "lib_cflags" => "",
     "lib_cppflags" => "-DL_ENDIAN",
@@ -507,10 +516,8 @@ our @disablables_int = (
 our %disabled = (
     "afalgeng" => "option",
     "asan" => "default",
-    "brotli" => "default",
     "brotli-dynamic" => "default",
     "buildtest-c++" => "default",
-    "comp" => "option",
     "crypto-mdebug" => "default",
     "crypto-mdebug-backtrace" => "default",
     "demos" => "default",
@@ -542,12 +549,14 @@ our %disabled = (
     "uplink" => "no uplink_arch",
     "weak-ssl-ciphers" => "default",
     "winstore" => "not-windows",
-    "zlib" => "default",
     "zlib-dynamic" => "default",
-    "zstd" => "default",
     "zstd-dynamic" => "default"
 );
-our %withargs = ();
+our %withargs = (
+    "brotli_include" => "../../brotli/c/include",
+    "zlib_include" => "../../zlib",
+    "zstd_include" => "../../zstd/lib"
+);
 our %unified_info = (
     "attributes" => {
         "depends" => {
@@ -1035,6 +1044,9 @@ our %unified_info = (
             "test/bio_callback_test" => {
                 "noinst" => "1"
             },
+            "test/bio_comp_test" => {
+                "noinst" => "1"
+            },
             "test/bio_core_test" => {
                 "noinst" => "1"
             },
@@ -1302,6 +1314,9 @@ our %unified_info = (
             "test/casttest" => {
                 "noinst" => "1"
             },
+            "test/cert_comp_test" => {
+                "noinst" => "1"
+            },
             "test/chacha_internal_test" => {
                 "noinst" => "1"
             },
@@ -8362,6 +8377,10 @@ our %unified_info = (
             "libcrypto",
             "test/libtestutil.a"
         ],
+        "test/bio_comp_test" => [
+            "libcrypto.a",
+            "test/libtestutil.a"
+        ],
         "test/bio_core_test" => [
             "libcrypto",
             "test/libtestutil.a"
@@ -10124,6 +10143,20 @@ our %unified_info = (
                 ]
             }
         },
+        "crypto/comp" => {
+            "deps" => [
+                "crypto/comp/libcrypto-lib-c_brotli.o",
+                "crypto/comp/libcrypto-lib-c_zlib.o",
+                "crypto/comp/libcrypto-lib-c_zstd.o",
+                "crypto/comp/libcrypto-lib-comp_err.o",
+                "crypto/comp/libcrypto-lib-comp_lib.o"
+            ],
+            "products" => {
+                "lib" => [
+                    "libcrypto"
+                ]
+            }
+        },
         "crypto/conf" => {
             "deps" => [
                 "crypto/conf/libcrypto-lib-conf_api.o",
@@ -12086,6 +12119,7 @@ our %unified_info = (
         "test/helpers" => {
             "deps" => [
                 "test/helpers/asynciotest-bin-ssltestlib.o",
+                "test/helpers/cert_comp_test-bin-ssltestlib.o",
                 "test/helpers/cmp_asn_test-bin-cmp_testlib.o",
                 "test/helpers/cmp_client_test-bin-cmp_testlib.o",
                 "test/helpers/cmp_ctx_test-bin-cmp_testlib.o",
@@ -12147,6 +12181,7 @@ our %unified_info = (
             "products" => {
                 "bin" => [
                     "test/asynciotest",
+                    "test/cert_comp_test",
                     "test/cmp_asn_test",
                     "test/cmp_client_test",
                     "test/cmp_ctx_test",
@@ -21294,6 +21329,10 @@ our %unified_info = (
             "include",
             "apps/include"
         ],
+        "test/bio_comp_test" => [
+            "include",
+            "apps/include"
+        ],
         "test/bio_core_test" => [
             "include",
             "apps/include"
@@ -21879,6 +21918,10 @@ our %unified_info = (
             ".",
             "include"
         ],
+        "test/helpers/cert_comp_test-bin-ssltestlib.o" => [
+            ".",
+            "include"
+        ],
         "test/helpers/cmp_asn_test-bin-cmp_testlib.o" => [
             ".",
             "include",
@@ -23607,6 +23650,7 @@ our %unified_info = (
         "test/bio_addr_test",
         "test/bio_base64_test",
         "test/bio_callback_test",
+        "test/bio_comp_test",
         "test/bio_core_test",
         "test/bio_dgram_test",
         "test/bio_enc_test",
@@ -23696,6 +23740,7 @@ our %unified_info = (
         "test/byteorder_test",
         "test/ca_internals_test",
         "test/casttest",
+        "test/cert_comp_test",
         "test/chacha_internal_test",
         "test/cipher_overhead_test",
         "test/cipherbytes_test",
@@ -24958,6 +25003,21 @@ our %unified_info = (
         "crypto/cms/libcrypto-lib-cms_smime.o" => [
             "crypto/cms/cms_smime.c"
         ],
+        "crypto/comp/libcrypto-lib-c_brotli.o" => [
+            "crypto/comp/c_brotli.c"
+        ],
+        "crypto/comp/libcrypto-lib-c_zlib.o" => [
+            "crypto/comp/c_zlib.c"
+        ],
+        "crypto/comp/libcrypto-lib-c_zstd.o" => [
+            "crypto/comp/c_zstd.c"
+        ],
+        "crypto/comp/libcrypto-lib-comp_err.o" => [
+            "crypto/comp/comp_err.c"
+        ],
+        "crypto/comp/libcrypto-lib-comp_lib.o" => [
+            "crypto/comp/comp_lib.c"
+        ],
         "crypto/conf/libcrypto-lib-conf_api.o" => [
             "crypto/conf/conf_api.c"
         ],
@@ -27935,6 +27995,11 @@ our %unified_info = (
             "crypto/cms/libcrypto-lib-cms_rsa.o",
             "crypto/cms/libcrypto-lib-cms_sd.o",
             "crypto/cms/libcrypto-lib-cms_smime.o",
+            "crypto/comp/libcrypto-lib-c_brotli.o",
+            "crypto/comp/libcrypto-lib-c_zlib.o",
+            "crypto/comp/libcrypto-lib-c_zstd.o",
+            "crypto/comp/libcrypto-lib-comp_err.o",
+            "crypto/comp/libcrypto-lib-comp_lib.o",
             "crypto/conf/libcrypto-lib-conf_api.o",
             "crypto/conf/libcrypto-lib-conf_def.o",
             "crypto/conf/libcrypto-lib-conf_err.o",
@@ -30469,6 +30534,12 @@ our %unified_info = (
         "test/bio_callback_test-bin-bio_callback_test.o" => [
             "test/bio_callback_test.c"
         ],
+        "test/bio_comp_test" => [
+            "test/bio_comp_test-bin-bio_comp_test.o"
+        ],
+        "test/bio_comp_test-bin-bio_comp_test.o" => [
+            "test/bio_comp_test.c"
+        ],
         "test/bio_core_test" => [
             "test/bio_core_test-bin-bio_core_test.o"
         ],
@@ -31014,6 +31085,13 @@ our %unified_info = (
         "test/casttest-bin-casttest.o" => [
             "test/casttest.c"
         ],
+        "test/cert_comp_test" => [
+            "test/cert_comp_test-bin-cert_comp_test.o",
+            "test/helpers/cert_comp_test-bin-ssltestlib.o"
+        ],
+        "test/cert_comp_test-bin-cert_comp_test.o" => [
+            "test/cert_comp_test.c"
+        ],
         "test/chacha_internal_test" => [
             "test/chacha_internal_test-bin-chacha_internal_test.o"
         ],
@@ -31439,6 +31517,9 @@ our %unified_info = (
         "test/helpers/asynciotest-bin-ssltestlib.o" => [
             "test/helpers/ssltestlib.c"
         ],
+        "test/helpers/cert_comp_test-bin-ssltestlib.o" => [
+            "test/helpers/ssltestlib.c"
+        ],
         "test/helpers/cmp_asn_test-bin-cmp_testlib.o" => [
             "test/helpers/cmp_testlib.c"
         ],
@@ -32662,18 +32743,9 @@ my %disabled_info = (
     "asan" => {
         "macro" => "OPENSSL_NO_ASAN"
     },
-    "brotli" => {
-        "macro" => "OPENSSL_NO_BROTLI"
-    },
     "brotli-dynamic" => {
         "macro" => "OPENSSL_NO_BROTLI_DYNAMIC"
     },
-    "comp" => {
-        "macro" => "OPENSSL_NO_COMP",
-        "skipped" => [
-            "crypto/comp"
-        ]
-    },
     "crypto-mdebug" => {
         "macro" => "OPENSSL_NO_CRYPTO_MDEBUG"
     },
@@ -32767,15 +32839,9 @@ my %disabled_info = (
     "winstore" => {
         "macro" => "OPENSSL_NO_WINSTORE"
     },
-    "zlib" => {
-        "macro" => "OPENSSL_NO_ZLIB"
-    },
     "zlib-dynamic" => {
         "macro" => "OPENSSL_NO_ZLIB_DYNAMIC"
     },
-    "zstd" => {
-        "macro" => "OPENSSL_NO_ZSTD"
-    },
     "zstd-dynamic" => {
         "macro" => "OPENSSL_NO_ZSTD_DYNAMIC"
     }

deps/openssl/config/archs/BSD-x86/asm/crypto/buildinf.h

@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: BSD-x86"
-#define DATE "built on: Tue Jan 27 17:25:31 2026 UTC"
+#define DATE "built on: Wed Mar 11 15:38:13 2026 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
@@ -29,5 +29,10 @@ static const char compiler_flags[] = {
     '_','S','A','F','E',' ','-','D','_','R','E','E','N','T','R','A',
     'N','T',' ','-','D','O','P','E','N','S','S','L','_','B','U','I',
     'L','D','I','N','G','_','O','P','E','N','S','S','L',' ','-','D',
-    'N','D','E','B','U','G','\0'
+    'B','R','O','T','L','I',' ','-','D','Z','L','I','B',' ','-','D',
+    'Z','S','T','D',' ','-','D','N','D','E','B','U','G',' ','-','I',
+    '.','.','/','.','.','/','b','r','o','t','l','i','/','c','/','i',
+    'n','c','l','u','d','e',' ','-','I','.','.','/','.','.','/','z',
+    'l','i','b',' ','-','I','.','.','/','.','.','/','z','s','t','d',
+    '/','l','i','b','\0'
 };

deps/openssl/config/archs/BSD-x86/asm/include/openssl/configuration.h

@@ -41,15 +41,9 @@ extern "C" {
 # ifndef OPENSSL_NO_ASAN
 #  define OPENSSL_NO_ASAN
 # endif
-# ifndef OPENSSL_NO_BROTLI
-#  define OPENSSL_NO_BROTLI
-# endif
 # ifndef OPENSSL_NO_BROTLI_DYNAMIC
 #  define OPENSSL_NO_BROTLI_DYNAMIC
 # endif
-# ifndef OPENSSL_NO_COMP
-#  define OPENSSL_NO_COMP
-# endif
 # ifndef OPENSSL_NO_CRYPTO_MDEBUG
 #  define OPENSSL_NO_CRYPTO_MDEBUG
 # endif
@@ -137,15 +131,9 @@ extern "C" {
 # ifndef OPENSSL_NO_WINSTORE
 #  define OPENSSL_NO_WINSTORE
 # endif
-# ifndef OPENSSL_NO_ZLIB
-#  define OPENSSL_NO_ZLIB
-# endif
 # ifndef OPENSSL_NO_ZLIB_DYNAMIC
 #  define OPENSSL_NO_ZLIB_DYNAMIC
 # endif
-# ifndef OPENSSL_NO_ZSTD
-#  define OPENSSL_NO_ZSTD
-# endif
 # ifndef OPENSSL_NO_ZSTD_DYNAMIC
 #  define OPENSSL_NO_ZSTD_DYNAMIC
 # endif