Marc Stern wrote:
What was the goal to derivate from mod_ssl ?
The goal was to make an Apache SSL module using NSS as the crypto engine. I saw no point in re-inventing the wheel so used mod_ssl as a starting point.
Is NSS better than OpenSSL ?
Both serve their purposes, choice is good. I work on the Fedora Directory Server and a need existed for an SSL-enabled web server. It made sense to use Apache but FDS uses NSS and rather than confusing things by having 2 separate SSL libraries I wrote mod_nss.
If so, why not implementing everything from mod_ssl with NSS and stick to it ?
I'm not sure what you're asking here. I'm not in any position to say library or module A is better than B. Use what fits your needs.
Was the goal to provide new features, like OCSP ? If so, why not implement them in mod_ssl ?
OCSP is a switch in NSS so all enabling it required was adding a configuration option to the module. PKCS#11 is the same way, it just came along for free with NSS.
(Btw, a patch to add OCSP is waiting for approval - see http://issues.apache.org/bugzilla/show_bug.cgi?id=41123)
Thanks for the pointer. regards rob
smime.p7s
Description: S/MIME Cryptographic Signature
