Bug 719403

Summary: If your certificate key size greater than 512 bits a stepdown key will be generated, this can't be swithed off from mod_nss
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: mod_nssAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED CURRENTRELEASE QA Contact: Kaleem <ksiddiqu>
Severity: medium Docs Contact:
Priority: low    
Version: 7.0CC: dpal, nkinder, rcritten, wolter.eldering
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 637525 Environment:
Last Closed: 2017-08-14 15:36:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 637525    
Bug Blocks:    

Description Dmitri Pal 2011-07-06 17:55:06 UTC 
+++ This bug was initially created as a clone of Bug #637525 +++

Created attachment 449710 [details]
Patch adding NSSNoStepDown (on|off) config option

Description of problem:
If your certificate key size greater than 512 bits a 512 bit key-pair is generated on the fly for every ssl server. This takes considerable time and maybe the use of a 512 bit key might be unwanted. 

Version-Release number of selected component (if applicable):
1.0.8

How reproducible:
Create Certificate with key size bigger than 512.

Steps to Reproduce:
1. Load/Create 1024bit certificate into certificate database
2. Put export NSS_DEBUG_PKCS11_MODULE="NSS Internal PKCS #11 Module" to get timing information (debug build nss)
3. service start httpd
  
Actual results:
Starting httpd: Function                     # Calls         Time         Avg.     % Time
--8<--
C_GenerateKeyPair                  1         53ms   53000.00us      3.77%
--8<--

Expected results:
No call to C_GenerateKeyPair and stepdown key disabled in NSS

Additional info:

--- Additional comment from dpal on 2011-07-06 13:54:39 EDT ---

The patch will be accepted upstream and will be delivered as a version that will be included into RHEL7.
Comment 5 Matthew Harmsen 2016-01-05 22:09:16 UTC 
Per discussion with rcritten, moving from RHEL 7.3 --> RHEL 7.4.
Comment 6 Matthew Harmsen 2016-01-05 22:10:50 UTC 
(In reply to Matthew Harmsen from comment #5)
> Per discussion with rcritten, moving from RHEL 7.3 --> RHEL 7.4.

Check with NSS guys
Comment 10 Rob Crittenden 2017-08-14 15:36:06 UTC 
The step-up code in NSS was removed in 3.13, https://bugzilla.mozilla.org/show_bug.cgi?id=651523