Description of problem: PK11_ListCerts is called for every server instead of only one time. With many certificates in the database the PK11_ListCerts will take quite long. 500 certs take about 2-3 seconds on our test server. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Load many certificates in certificate database about 500 2. Create about 50 virtual hosts with SSL enabled 3. service httpd start Actual results: Startup time about 2 minutes Expected results: Startup time about 5 seconds Additional info: All user certificates are retrieved again and again and filtered on nickname inside mod_nss. Instead of getting them by nickname, or retreiving the list of user certificates only once. Many time is also spend in creating Step-Down keys (when your keys are >512 bits). Adding an extra 2 seconds of startup for 50 virtual hosts with ssl enabled. If the softtoken is used no caching is done by NSS, this results in the whole certificate chain being build for every server based on PKCS#11 calls. In our case the chain has a length of 4. (requiring an additional 20 PKCS#11 calls for every virtual host)
Created attachment 448249 [details] patch reducing the number of calls to PK11_ListCerts
Thanks for the patch, it works great. Committed upsteam Checking in mod_nss.h; /cvs/dirsec/mod_nss/mod_nss.h,v <-- mod_nss.h new revision: 1.23; previous revision: 1.22 done Checking in nss_engine_init.c; /cvs/dirsec/mod_nss/nss_engine_init.c,v <-- nss_engine_init.c new revision: 1.36; previous revision: 1.35 done
Verified: Env: + RHEL5.6(x86_64) -- RHEL5.6-Server-20101010.1 -------------- + mod_nss-1.0.8-2.el5.x86_64 + httpd-2.2.3-43.el5_5.3 -------------- Steps used to verify: (1) I used the below nss.conf ########################################################## # nss.conf for bugzilla -- PK11_ListCerts called to retrieve all user certificates for every server #Load Module LoadModule nss_module modules/libmodnss.so #Name based virtual-hosting NameVirtualHost localhost:443 #virtual host1 <VirtualHost localhost:443> ServerAdmin webmaster DocumentRoot /var/www/html ServerName localhost1 NSSCertificateDatabase /etc/httpd/alias NSSVerifyClient require NSSNickname server1 </VirtualHost> #virtual host2 <VirtualHost localhost:443> ServerAdmin webmaster DocumentRoot /var/www/html ServerName localhost2 NSSCertificateDatabase /etc/httpd/alias NSSVerifyClient require NSSNickname server2 . . . <till virtual host50 > ########################################################## (2) Wrote the below script to populate nss db with 50 server hosts ############################################################ #!/bin/bash USER=testuser echo testpwd > pwdfile.txt echo woeifjoufjoidsjfosaf0weflsdjfsafjffjsdfsadlffiwooosfdsf > noise.txt printf "creating NSS databse \n" certutil -N -d . -f pwdfile.txt printf "generating a self signed CA \n" certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt #generating a server cert for the virtual host for x in $(seq 1 50) ; do printf "generating a server cert$x \n" certutil -S -n "server$x" -s "cn=cs81autoel5.pnq.redhat.com,cn="servercert$x -c "CA certificate" -t "u,u,u" -m $x -v 120 -d . -z noise.txt -f pwdfile.txt done ############################################################ (3) And restarted httpd httpd restarts immediately without any delay.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0049.html