719403 – If your certificate key size greater than 512 bits a stepdown key will be generated, this can't be swithed off from mod_nss

Bug 719403 - If your certificate key size greater than 512 bits a stepdown key will be generated, this can't be swithed off from mod_nss

Summary: If your certificate key size greater than 512 bits a stepdown key will be gen...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_nss
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Matthew Harmsen
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:	637525
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-06 17:55 UTC by Dmitri Pal
Modified:	2017-08-16 00:40 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	637525
Environment:
Last Closed:	2017-08-14 15:36:06 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Dmitri Pal 2011-07-06 17:55:06 UTC

+++ This bug was initially created as a clone of Bug #637525 +++

Created attachment 449710 [details]
Patch adding NSSNoStepDown (on|off) config option

Description of problem:
If your certificate key size greater than 512 bits a 512 bit key-pair is generated on the fly for every ssl server. This takes considerable time and maybe the use of a 512 bit key might be unwanted. 

Version-Release number of selected component (if applicable):
1.0.8

How reproducible:
Create Certificate with key size bigger than 512.

Steps to Reproduce:
1. Load/Create 1024bit certificate into certificate database
2. Put export NSS_DEBUG_PKCS11_MODULE="NSS Internal PKCS #11 Module" to get timing information (debug build nss)
3. service start httpd
  
Actual results:
Starting httpd: Function                     # Calls         Time         Avg.     % Time
--8<--
C_GenerateKeyPair                  1         53ms   53000.00us      3.77%
--8<--

Expected results:
No call to C_GenerateKeyPair and stepdown key disabled in NSS

Additional info:

--- Additional comment from dpal on 2011-07-06 13:54:39 EDT ---

The patch will be accepted upstream and will be delivered as a version that will be included into RHEL7.

Comment 5 Matthew Harmsen 2016-01-05 22:09:16 UTC

Per discussion with rcritten, moving from RHEL 7.3 --> RHEL 7.4.

Comment 6 Matthew Harmsen 2016-01-05 22:10:50 UTC

(In reply to Matthew Harmsen from comment #5)
> Per discussion with rcritten, moving from RHEL 7.3 --> RHEL 7.4.

Check with NSS guys

Comment 10 Rob Crittenden 2017-08-14 15:36:06 UTC

The step-up code in NSS was removed in 3.13, https://bugzilla.mozilla.org/show_bug.cgi?id=651523

Note You need to log in before you can comment on or make changes to this bug.