Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 635324

Summary: PK11_ListCerts called to retrieve all user certificates for every server
Product: Red Hat Enterprise Linux 5 Reporter: Wolter Eldering <wolter.eldering>
Component: mod_nssAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: benl, csutherl, dpal, kchamart
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mod_nss-1.0.8-2.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 749408 (view as bug list) Environment:
Last Closed: 2011-01-13 22:38:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 749408, 767802, 1022295    
Attachments:
Description Flags
patch reducing the number of calls to PK11_ListCerts none

Description Wolter Eldering 2010-09-19 01:11:17 UTC 
Description of problem:
PK11_ListCerts is called for every server instead of only one time.
With many certificates in the database the PK11_ListCerts will take quite long.
500 certs take about 2-3 seconds on our test server.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Load many certificates in certificate database about 500
2. Create about 50 virtual hosts with SSL enabled
3. service httpd start
  
Actual results:
Startup time about 2 minutes

Expected results:
Startup time about 5 seconds

Additional info:
All user certificates are retrieved again and again and filtered on nickname inside mod_nss. Instead of getting them by nickname, or retreiving the list of user certificates only once.

Many time is also spend in creating Step-Down keys (when your keys are >512 bits). Adding an extra 2 seconds of startup for 50 virtual hosts with ssl enabled.

If the softtoken is used no caching is done by NSS, this results in the whole certificate chain being build for every server based on PKCS#11 calls. In our case the chain has a length of 4. (requiring an additional 20 PKCS#11 calls for every virtual host)
Comment 1 Wolter Eldering 2010-09-19 01:12:30 UTC 
Created attachment 448249 [details]
patch reducing the number of calls to PK11_ListCerts
Comment 3 Rob Crittenden 2010-09-22 21:19:55 UTC 
Thanks for the patch, it works great.

Committed upsteam

Checking in mod_nss.h;
/cvs/dirsec/mod_nss/mod_nss.h,v  <--  mod_nss.h
new revision: 1.23; previous revision: 1.22
done
Checking in nss_engine_init.c;
/cvs/dirsec/mod_nss/nss_engine_init.c,v  <--  nss_engine_init.c
new revision: 1.36; previous revision: 1.35
done
Comment 5 Kashyap Chamarthy 2010-10-12 08:24:06 UTC 
Verified: 

Env:
+ RHEL5.6(x86_64) -- RHEL5.6-Server-20101010.1
--------------
+ mod_nss-1.0.8-2.el5.x86_64
+ httpd-2.2.3-43.el5_5.3
--------------

Steps used to verify: 

(1) I used the below nss.conf

##########################################################
# nss.conf for bugzilla -- PK11_ListCerts called to retrieve all user certificates for every server 
#Load Module
LoadModule nss_module modules/libmodnss.so

#Name based virtual-hosting
NameVirtualHost localhost:443

#virtual host1
<VirtualHost localhost:443>
ServerAdmin webmaster
DocumentRoot /var/www/html
ServerName localhost1
NSSCertificateDatabase /etc/httpd/alias
NSSVerifyClient require

NSSNickname server1
</VirtualHost>

#virtual host2
<VirtualHost localhost:443>
ServerAdmin webmaster
DocumentRoot /var/www/html
ServerName localhost2
NSSCertificateDatabase /etc/httpd/alias
NSSVerifyClient require
NSSNickname server2
.
.
.
<till virtual host50 >
##########################################################

(2) Wrote the below script to populate nss db with 50 server hosts

############################################################
#!/bin/bash
USER=testuser

echo testpwd > pwdfile.txt
echo woeifjoufjoidsjfosaf0weflsdjfsafjffjsdfsadlffiwooosfdsf > noise.txt

printf "creating NSS databse \n"
certutil -N -d . -f pwdfile.txt 

printf "generating a self signed CA \n"
certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt

#generating a server cert for the virtual host
for x in $(seq 1 50) ;
        do	
		printf "generating a server cert$x \n"
                certutil -S -n "server$x" -s "cn=cs81autoel5.pnq.redhat.com,cn="servercert$x -c "CA certificate" -t "u,u,u" -m $x -v 120 -d . -z noise.txt -f pwdfile.txt
        done
############################################################

(3) And restarted httpd

httpd restarts immediately without any delay.
Comment 7 errata-xmlrpc 2011-01-13 22:38:47 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0049.html