Todd Short

>Note that without a -comp_cert on the server, compression isn't used at all, I'm not sure this is intended. That's intentional, you have to explicitly tell it to compress the...

There's a few things going on here. The API went through several iterations during review. It was decided to simplify and always have the server-side pre-compress the certificates, rather than...

In response specifically to this: > Like, performs an optimization, not acts as a knob for everything RFC8879. To sent compressed certificates from the server, the certificates must always be...

> > Is it only with ZLIB? What about Brotli and Zstd? > > Yes, the other two decompressed fine in my testing. Thank you, this is helpful.

Looks as though I have to add a zlib oneshot function that terminates/completes the compression properly. @t184256 could you try this branch? https://github.com/tmshort/openssl/tree/fix-zlib

This is primarily deletes (with one edit). I don't know if it qualifies for CLA:trivial, but I'd be OK with it.

One of the tests is still pending after 24+ ?

As far as I can tell, looking at buildbot, there have never been any completed `buildbot/master:unix-macos11-m1` builds? @levitte ?

> Hopefully the added bound checks won't trigger Coverity. If so we can fix that later though. Appears to have. The failure can only occur if sizeof(size_t) > sizeof(unsigned long),...

> As after this change the tests still pass, it means we are undertested here :( It's the nature of the allowed data. Even if there were unsupported algorithms, what...