Marc Stern wrote:
What are the advantages/disadvantages between mod_ssl & mod_nss ?Marc
mod_ssl has the advantage that it is in wide use and has had many eyeballs on it. It is feature-rich and performs well.
mod_nss is a derivative of the mod_ssl from Apache 2.0.52 (plus a few updates here and there). The OpenSSL calls were ripped out and replaced with equivalent NSS calls. So feature-wise it generally has parity.
Notable differences include:mod_ssl allows one to configure the depth of the certificate chain of a certificate (SSLVerifyDepth). mod_nss checks only the leaf.
mod_nss has support for OCSP mod_nss has support for PKCS#11mod_ssl uses discrete files for certificates and keys. mod_nss uses a NSS database. Some find this less convenient.
The OpenSSL command-line tools are better documented and come with man pages. The NSS command-line tools have some online documentation but no man pages.
mod_ssl supports DSA server certificates, mod_nss does not.mod_nss has a FIPS mode that sets the security policy. NSS 3.11.4 is currently in FIPS 140-2 review now. Individuals will still need to be sure that the security policy is adhered to. mod_nss helps by not allowing non-FIPS ciphers to be enabled when NSSFIPS is on. The policy document can be found at http://www.mozilla.org/projects/security/pki/nss/fips/secpolicy.pdf
rob
smime.p7s
Description: S/MIME Cryptographic Signature
