The answer from @JakeGould is helpful. I want to know how to choose whether to use -z or not?
It is easy. Compress information leakage in protocols such as HTTPS and SPDY, so you should not use it. Since you should not use it, there is no reason to configure it. See Rizzo Attacks and Duong CRIME.
Another configure option that might interest you: no-comp . It disables zlib independent compression.
Will someone tell me when OpenSSL does compression or decompression?
By default, compression is enabled unless you disabled it at compile time or runtime. If compression is available, you should disable it at runtime using the SSL_OP_NO_COMPRESSION context SSL_OP_NO_COMPRESSION :
const SSL_METHOD* method = SSLv23_method(); if(method == NULL) handleFailure(); ctx = SSL_CTX_new(method); if(ctx == NULL) handleFailure(); const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; SSL_CTX_set_options(ctx, flags);
For completeness, Firefox does not support compression. The configuration of Firefox was broken out of the box, so the browser was not vulnerable to compression attacks. See Error Report. Create NSS with zlib TLS compression code and add security.ssl.enable_compression preference to enable it .