httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Crittenden <>
Subject Re: Apache2 mod_ssl with HSM support
Date Fri, 01 Jun 2007 18:27:42 GMT
Marc Stern wrote:
> What was the goal to derivate from mod_ssl ?

The goal was to make an Apache SSL module using NSS as the crypto 
engine. I saw no point in re-inventing the wheel so used mod_ssl as a 
starting point.

> Is NSS better than OpenSSL ? 

Both serve their purposes, choice is good. I work on the Fedora 
Directory Server and a need existed for an SSL-enabled web server. It 
made sense to use Apache but FDS uses NSS and rather than confusing 
things by having 2 separate SSL libraries I wrote mod_nss.

> If so, why not implementing everything from 
> mod_ssl with NSS and stick to it ?

I'm not sure what you're asking here. I'm not in any position to say 
library or module A is better than B. Use what fits your needs.

> Was the goal to provide new features, like OCSP ? If so, why not 
> implement them in mod_ssl ?

OCSP is a switch in NSS so all enabling it required was adding a 
configuration option to the module. PKCS#11 is the same way, it just 
came along for free with NSS.

> (Btw, a patch to add OCSP is waiting for approval - see 

Thanks for the pointer.



View raw message