httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Stern <>
Subject Re: Apache2 mod_ssl with HSM support
Date Fri, 01 Jun 2007 10:37:28 GMT
What was the goal to derivate from mod_ssl ?
Is NSS better than OpenSSL ? If so, why not implementing everything from 
mod_ssl with NSS and stick to it ?
Was the goal to provide new features, like OCSP ? If so, why not 
implement them in mod_ssl ?
(Btw, a patch to add OCSP is waiting for approval - see



Rob Crittenden wrote:
> Marc Stern wrote:
>> What are the advantages/disadvantages between mod_ssl & mod_nss ?
>> Marc
> mod_ssl has the advantage that it is in wide use and has had many 
> eyeballs on it. It is feature-rich and performs well.
> mod_nss is a derivative of the mod_ssl from Apache 2.0.52 (plus a few 
> updates here and there). The OpenSSL calls were ripped out and 
> replaced with equivalent NSS calls. So feature-wise it generally has 
> parity.
> Notable differences include:
> mod_ssl allows one to configure the depth of the certificate chain of 
> a certificate (SSLVerifyDepth). mod_nss checks only the leaf.
> mod_nss has support for OCSP
> mod_nss has support for PKCS#11
> mod_ssl uses discrete files for certificates and keys. mod_nss uses a 
> NSS database. Some find this less convenient.
> The OpenSSL command-line tools are better documented and come with man 
> pages. The NSS command-line tools have some online documentation but 
> no man pages.
> mod_ssl supports DSA server certificates, mod_nss does not.
> mod_nss has a FIPS mode that sets the security policy. NSS 3.11.4 is 
> currently in FIPS 140-2 review now. Individuals will still need to be 
> sure that the security policy is adhered to. mod_nss helps by not 
> allowing non-FIPS ciphers to be enabled when NSSFIPS is on. The policy 
> document can be found at 
> rob

View raw message