OpenSSL offers the compression BIO methods BIO_f_zlib(), BIO_f_brotli() and BIO_f_zstd() (last two introduced in v3.2) which offer transparent (de)compression, but they can't be used with the current ebuilds. Well BIO_f_zlib() can be used, but only by using the tls-compression use flag. As the tls-compression use flag is documented as "discouraged TLS compression", this use flag should be modified to disable the "no-comp" OpenSSL configuration option instead. Reproducible: Always
Created attachment 908473 [details, diff] Patch for v3.3.2 ebuild add brotli, zlib and zstd USE flags to ebuild
It seems to be no good idea to build OpenSSL with the "no-comp" option, as this broke for example python: /usr/lib/python3.12/lib-dynload/_ssl.cpython-312-x86_64-linux-gnu.so: undefined symbol: COMP_get_type, version OPENSSL_3.0.0 I'm not sure if it's possible at all to enable the compression modules and disable TLS compression to prevent CRIME.
