Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 10700 invoked from network); 1 Jun 2007 12:29:43 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 Jun 2007 12:29:43 -0000 Received: (qmail 68358 invoked by uid 500); 1 Jun 2007 10:37:43 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 68289 invoked by uid 500); 1 Jun 2007 10:37:43 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 68277 invoked by uid 99); 1 Jun 2007 10:37:43 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Jun 2007 03:37:43 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [195.238.0.199] (HELO PEXAS02.ISP.BELGACOM.BE) (195.238.0.199) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Jun 2007 03:37:36 -0700 Received: from [127.0.0.1] ([194.7.54.18]) by PEXAS02.ISP.BELGACOM.BE with Microsoft SMTPSVC(6.0.3790.1830); Fri, 1 Jun 2007 12:37:14 +0200 Message-ID: <465FF6E8.9070808@approach.be> Date: Fri, 01 Jun 2007 12:37:28 +0200 From: Marc Stern User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Apache2 mod_ssl with HSM support References: <465D57E6.30408@approach.be> <465DBE72.80605@redhat.com> <465EB55A.9050402@approach.be> <465EE102.9050003@redhat.com> In-Reply-To: <465EE102.9050003@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 Jun 2007 10:37:14.0506 (UTC) FILETIME=[D19ADEA0:01C7A438] X-Virus-Checked: Checked by ClamAV on apache.org What was the goal to derivate from mod_ssl ? Is NSS better than OpenSSL ? If so, why not implementing everything from mod_ssl with NSS and stick to it ? Was the goal to provide new features, like OCSP ? If so, why not implement them in mod_ssl ? (Btw, a patch to add OCSP is waiting for approval - see http://issues.apache.org/bugzilla/show_bug.cgi?id=41123) Tahnks Marc Rob Crittenden wrote: > Marc Stern wrote: >> What are the advantages/disadvantages between mod_ssl & mod_nss ? >> >> Marc >> > > mod_ssl has the advantage that it is in wide use and has had many > eyeballs on it. It is feature-rich and performs well. > > mod_nss is a derivative of the mod_ssl from Apache 2.0.52 (plus a few > updates here and there). The OpenSSL calls were ripped out and > replaced with equivalent NSS calls. So feature-wise it generally has > parity. > > Notable differences include: > > mod_ssl allows one to configure the depth of the certificate chain of > a certificate (SSLVerifyDepth). mod_nss checks only the leaf. > > mod_nss has support for OCSP > > mod_nss has support for PKCS#11 > > mod_ssl uses discrete files for certificates and keys. mod_nss uses a > NSS database. Some find this less convenient. > > The OpenSSL command-line tools are better documented and come with man > pages. The NSS command-line tools have some online documentation but > no man pages. > > mod_ssl supports DSA server certificates, mod_nss does not. > > mod_nss has a FIPS mode that sets the security policy. NSS 3.11.4 is > currently in FIPS 140-2 review now. Individuals will still need to be > sure that the security policy is adhered to. mod_nss helps by not > allowing non-FIPS ciphers to be enabled when NSSFIPS is on. The policy > document can be found at > http://www.mozilla.org/projects/security/pki/nss/fips/secpolicy.pdf > > rob