0. Preliminary warning

TLS compression may make you vulnerable to the CRIME attack. You shoud not enable it unless you know for sure CRIME and similar attacks are not applicable to your particular situation.

1. Introduction

mbed TLS optionally supports compression of the content data before it enters the secure channel. This functionality is described in RFC 3749. At this moment the standards only describe a single compression method called DEFLATE.

The best known library to use for the DEFLATE compression is the zlib library (Also called libz).

This short article describes how to enable compression using zlib within mbed TLS.

2. Download and install zlib

You will need to acquire the development files for zlib.

Under debian-like systems it's as simple as:

apt-get install libz-dev

On other systems you can use your local package manager or download the source from: http://zlib.net/

3. Configure mbed TLS

To configure mbed TLS to enable compression you should uncomment the define for MBEDTLS_ZLIB_SUPPORT in config.h, see "How do I configure mbed TLS".

     * If set, the SSL/TLS module uses ZLIB to support compression and
     * decompression of packet data.
     * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
     * CRIME attack. Before enabling this option, you should examine with care if
     * CRIME or similar exploits may be a applicable to your use case.
     * \note Currently compression can't be used with DTLS.
     * Used in: library/ssl_tls.c
     *          library/ssl_cli.c
     *          library/ssl_srv.c
     * This feature requires zlib library and headers to be present.
     * Uncomment to enable use of ZLIB

Then you have to enable it for the compiler.


If you are using the default Make environment, you can just issue:

export ZLIB=1

The Makefile does assume that zlib and the header files are in one of the standard locations. Otherwise you will need to pass a suitable value of LDFLAGS when invoking make, to include '-I\<PATH_TO_HEADER_FILES> -L\<PATH_TO_LIBRARY_FILE>'.


If you are using CMake, you can run the wizard:

cmake -i


Did this help?