libcurl started to use the PK11_CreateManagedGenericObject() function from NSS (Network Security Services) in RHEL-7.6 to reduce memory consumption while loading certificates from files.
This caused a severe performance regression in nss-pem because an internal array of pointers to internal objects started to grow per each load of a certificate. As the array is looked up sequentially, it resulted in excessive CPU usage and unacceptable delays in libcurl connections over TLS.
The internal array has been replaced by a linked list, which allows to remove arbitrary nodes in a constant amount of time.
PK11_CreateManagedGenericObject() can now be used without any measurable performance penalty.
This bug has been copied from bug #1659108 and has been proposed to be backported to 7.6 z-stream (EUS).
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.