[users@httpd] Re: OpenSSL vs. Mozilla's NSS

[Tom Browder <to...@gmail.com>]

On Wed, Oct 24, 2012 at 5:24 PM, Tom Browder <to...@gmail.com> wrote:
> Is it possible to use Apache with the NSS libraries instead of OpenSSL?

Oops, I just found mod_nss.

But I would appreciate any comments about the use of mod_ssl versus mod_nss.

Best,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: OpenSSL vs. Mozilla's NSS

[Andrew Schulman <an...@alumni.utexas.net>]

> On Wed, Oct 24, 2012 at 5:24 PM, Tom Browder <to...@gmail.com> wrote:
> > Is it possible to use Apache with the NSS libraries instead of OpenSSL?
> 
> Oops, I just found mod_nss.
> 
> But I would appreciate any comments about the use of mod_ssl versus mod_nss.

I've used both, and I now prefer mod_nss, because I find the configuration a
little easier.  With mod_ssl I have to specify all of the certificate file names
in the configuration (SSLCertificateKeyFile, SSLCertificateFile,
SSLCertificateChainFile).  With mod_nss I just load all of the keys and
certificates into the database, specify one mnemonic name in the configuration
(NSSNickName), and mod_nss then figures out and serves up the whole certificate
chain.  I also like certutil and pk12util for managing the key+cert database.

But the functionality is identical, and the differences are minor.  It's
basically going to depend on which toolset you like best - mod_ssl + openssl, or
mod_nss + certutil/pk12util.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org