Eddy Nigg (StartCom Ltd.) wrote: > Nelson Bolyard wrote: >> >> Does serf use "modSSL"? If so, there is a "modNSS" that causes Apache to >> use NSS instead of OpenSSL. That might be an easy change for you. >> >> > Nelson, what about the env variables as in > http://httpd.apache.org/docs/2.0/mod/mod_ssl.html > Does mod_nss support the same naming convention? And is > NSSEnforceValidCerts equal to SSLVerifyDepth (with correct depth)? >
Yes, mod_nss supports the same environment variables as mod_ssl. http://directory.fedoraproject.org/wiki/Mod_nss Normally mod_nss will not let you start Apache with a bad certificate (expired, not a server cert, etc). NSSEnforceValidCerts lets you override that. There is no equivalent for SSLVerifyDepth. My understanding of how intermediate CAs are evaluated in NSS is admittedly sketchy but I believe it requires all of them to be installed and trusted. rob _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto