Hide Forgot
+++ This bug was initially created as a clone of Bug #637525 +++ Created attachment 449710 [details] Patch adding NSSNoStepDown (on|off) config option Description of problem: If your certificate key size greater than 512 bits a 512 bit key-pair is generated on the fly for every ssl server. This takes considerable time and maybe the use of a 512 bit key might be unwanted. Version-Release number of selected component (if applicable): 1.0.8 How reproducible: Create Certificate with key size bigger than 512. Steps to Reproduce: 1. Load/Create 1024bit certificate into certificate database 2. Put export NSS_DEBUG_PKCS11_MODULE="NSS Internal PKCS #11 Module" to get timing information (debug build nss) 3. service start httpd Actual results: Starting httpd: Function # Calls Time Avg. % Time --8<-- C_GenerateKeyPair 1 53ms 53000.00us 3.77% --8<-- Expected results: No call to C_GenerateKeyPair and stepdown key disabled in NSS Additional info: --- Additional comment from dpal on 2011-07-06 13:54:39 EDT --- The patch will be accepted upstream and will be delivered as a version that will be included into RHEL7.
Per discussion with rcritten, moving from RHEL 7.3 --> RHEL 7.4.
(In reply to Matthew Harmsen from comment #5) > Per discussion with rcritten, moving from RHEL 7.3 --> RHEL 7.4. Check with NSS guys
The step-up code in NSS was removed in 3.13, https://bugzilla.mozilla.org/show_bug.cgi?id=651523