When do I need zlib in OpenSSL?
Some site describe config & make for OpenSSL with zlib while I can do it without zlib.
It means zlib is not necessary for openSSL in some case.
Does anyone tell me what case OpenSSL does compression or decompression?
The answer from @JakeGould is useful. I want to know how to choose if I use –z or not?
Answer
The answer from @JakeGould is useful. I want to know how to choose if I use –z or not?
That's easy. Compression leaks information in protocols like HTTPS and SPDY, so you should not use it. Since you should not use it, there's no reason to configure with it. See Rizzo and Duong's CRIME attack.
There's another option to configure you might be interested in: no-comp. It disables compression independent of zlib.
Does anyone tell me what case OpenSSL does compression or decompression?
By default, compression is enabled unless you disable it at compile time or runtime. If compression is available, then you have to disable it at runtime with the SSL_OP_NO_COMPRESSION context options:
const SSL_METHOD* method = SSLv23_method();
if(method == NULL) handleFailure();
ctx = SSL_CTX_new(method);
if(ctx == NULL) handleFailure();
const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);
For completeness, Firefox does not support compression. Firefox's configure used to be broken out of the box, so the browser was not vulnerable to the compression attacks. See the bug report, Build NSS with the TLS zlib compression code and add the security.ssl.enable_compression preference to enable it.