0. Preliminary warning
TLS compression may make you vulnerable to the CRIME attack. You shoud not enable it unless you know for sure CRIME and similar attacks are not applicable to your particular situation.
mbed TLS optionally supports compression of the content data before it enters the secure channel. This functionality is described in RFC 3749. At this moment the standards only describe a single compression method called DEFLATE.
The best known library to use for the DEFLATE compression is the zlib library (Also called libz).
This short article describes how to enable compression using zlib within mbed TLS.
2. Download and install zlib
You will need to acquire the development files for zlib.
Under debian-like systems it's as simple as:
apt-get install libz-dev
On other systems you can use your local package manager or download the source from: http://zlib.net/
3. Configure mbed TLS
To configure mbed TLS to enable compression you should uncomment the define for MBEDTLS_ZLIB_SUPPORT in config.h, see "How do I configure mbed TLS".
/** * \def MBEDTLS_ZLIB_SUPPORT * * If set, the SSL/TLS module uses ZLIB to support compression and * decompression of packet data. * * \warning TLS-level compression MAY REDUCE SECURITY! See for example the * CRIME attack. Before enabling this option, you should examine with care if * CRIME or similar exploits may be a applicable to your use case. * * \note Currently compression can't be used with DTLS. * * Used in: library/ssl_tls.c * library/ssl_cli.c * library/ssl_srv.c * * This feature requires zlib library and headers to be present. * * Uncomment to enable use of ZLIB */ #define MBEDTLS_ZLIB_SUPPORT
Then you have to enable it for the compiler.
If you are using the default Make environment, you can just issue:
The Makefile does assume that zlib and the header files are in one of the standard locations. Otherwise you will need to pass a suitable value of LDFLAGS when invoking make, to include '-I\<PATH_TO_HEADER_FILES> -L\<PATH_TO_LIBRARY_FILE>'.
If you are using CMake, you can run the wizard:
and set ENABLE_ZLIB_SUPPORT to ON.