httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Crittenden <rcrit...@redhat.com>
Subject Re: Apache2 mod_ssl with HSM support
Date Thu, 31 May 2007 14:51:46 GMT
Marc Stern wrote:
> What are the advantages/disadvantages between mod_ssl & mod_nss ?
> 
> Marc
> 

mod_ssl has the advantage that it is in wide use and has had many 
eyeballs on it. It is feature-rich and performs well.

mod_nss is a derivative of the mod_ssl from Apache 2.0.52 (plus a few 
updates here and there). The OpenSSL calls were ripped out and replaced 
with equivalent NSS calls. So feature-wise it generally has parity.

Notable differences include:

mod_ssl allows one to configure the depth of the certificate chain of a 
certificate (SSLVerifyDepth). mod_nss checks only the leaf.

mod_nss has support for OCSP

mod_nss has support for PKCS#11

mod_ssl uses discrete files for certificates and keys. mod_nss uses a 
NSS database. Some find this less convenient.

The OpenSSL command-line tools are better documented and come with man 
pages. The NSS command-line tools have some online documentation but no 
man pages.

mod_ssl supports DSA server certificates, mod_nss does not.

mod_nss has a FIPS mode that sets the security policy. NSS 3.11.4 is 
currently in FIPS 140-2 review now. Individuals will still need to be 
sure that the security policy is adhered to. mod_nss helps by not 
allowing non-FIPS ciphers to be enabled when NSSFIPS is on. The policy 
document can be found at 
http://www.mozilla.org/projects/security/pki/nss/fips/secpolicy.pdf

rob

Mime
View raw message