What was the goal to derivate from mod_ssl ?
Is NSS better than OpenSSL ? If so, why not implementing everything from
mod_ssl with NSS and stick to it ?
Was the goal to provide new features, like OCSP ? If so, why not
implement them in mod_ssl ?
(Btw, a patch to add OCSP is waiting for approval - see
http://issues.apache.org/bugzilla/show_bug.cgi?id=41123)
Tahnks
Marc
Rob Crittenden wrote:
Marc Stern wrote:
What are the advantages/disadvantages between mod_ssl & mod_nss ?
Marc
mod_ssl has the advantage that it is in wide use and has had many
eyeballs on it. It is feature-rich and performs well.
mod_nss is a derivative of the mod_ssl from Apache 2.0.52 (plus a few
updates here and there). The OpenSSL calls were ripped out and
replaced with equivalent NSS calls. So feature-wise it generally has
parity.
Notable differences include:
mod_ssl allows one to configure the depth of the certificate chain of
a certificate (SSLVerifyDepth). mod_nss checks only the leaf.
mod_nss has support for OCSP
mod_nss has support for PKCS#11
mod_ssl uses discrete files for certificates and keys. mod_nss uses a
NSS database. Some find this less convenient.
The OpenSSL command-line tools are better documented and come with man
pages. The NSS command-line tools have some online documentation but
no man pages.
mod_ssl supports DSA server certificates, mod_nss does not.
mod_nss has a FIPS mode that sets the security policy. NSS 3.11.4 is
currently in FIPS 140-2 review now. Individuals will still need to be
sure that the security policy is adhered to. mod_nss helps by not
allowing non-FIPS ciphers to be enabled when NSSFIPS is on. The policy
document can be found at
http://www.mozilla.org/projects/security/pki/nss/fips/secpolicy.pdf
rob
