The pkcs11 bypass element instructs the NSS to bypass the PKCS#11 layer during SSL/TLS processing, thereby improving performance.
During startup, the server automatically verifies each token, holding a server key, to assess if they support PKCS#11 bypass. If the tokens support bypass in the current configuration the PKCS#11 layer will be bypassed, else the bypass will be disabled. Thus, the server automatically takes advantage of the performance benefits of pkcs11 bypass whenever possible.
In certain unique circumstances, you can disable PKCS#11 bypass manually by using the server.xml element <allow-bypass>.
<pkcs11> <enabled>1</enabled> <allow-bypass>0</allow-bypass> </pkcs11>