Re: Apache2 mod_ssl with HSM support

[Marc Stern <ma...@approach.be>]

What was the goal to derivate from mod_ssl ?
Is NSS better than OpenSSL ? If so, why not implementing everything from 
mod_ssl with NSS and stick to it ?
Was the goal to provide new features, like OCSP ? If so, why not 
implement them in mod_ssl ?
(Btw, a patch to add OCSP is waiting for approval - see 
http://issues.apache.org/bugzilla/show_bug.cgi?id=41123)

Tahnks

Marc

Rob Crittenden wrote:
> Marc Stern wrote:
>> What are the advantages/disadvantages between mod_ssl & mod_nss ?
>>
>> Marc
>>
>
> mod_ssl has the advantage that it is in wide use and has had many 
> eyeballs on it. It is feature-rich and performs well.
>
> mod_nss is a derivative of the mod_ssl from Apache 2.0.52 (plus a few 
> updates here and there). The OpenSSL calls were ripped out and 
> replaced with equivalent NSS calls. So feature-wise it generally has 
> parity.
>
> Notable differences include:
>
> mod_ssl allows one to configure the depth of the certificate chain of 
> a certificate (SSLVerifyDepth). mod_nss checks only the leaf.
>
> mod_nss has support for OCSP
>
> mod_nss has support for PKCS#11
>
> mod_ssl uses discrete files for certificates and keys. mod_nss uses a 
> NSS database. Some find this less convenient.
>
> The OpenSSL command-line tools are better documented and come with man 
> pages. The NSS command-line tools have some online documentation but 
> no man pages.
>
> mod_ssl supports DSA server certificates, mod_nss does not.
>
> mod_nss has a FIPS mode that sets the security policy. NSS 3.11.4 is 
> currently in FIPS 140-2 review now. Individuals will still need to be 
> sure that the security policy is adhered to. mod_nss helps by not 
> allowing non-FIPS ciphers to be enabled when NSSFIPS is on. The policy 
> document can be found at 
> http://www.mozilla.org/projects/security/pki/nss/fips/secpolicy.pdf
>
> rob

Re: Apache2 mod_ssl with HSM support

[Register Team NI <no...@native-instruments.de>]

Dear customer,

Thank you for your message. Due to the extraordinarily large number of
e-mails that we are currently receiving, it might take us up to several
days to reply to your request. We thank you for your patience and understanding,
and will get back to you as soon as possible.

With kind regards,

Your NATIVE INSTRUMENTS Registration Team

Re: Apache2 mod_ssl with HSM support

[Rob Crittenden <rc...@redhat.com>]

Marc Stern wrote:
> What was the goal to derivate from mod_ssl ?

The goal was to make an Apache SSL module using NSS as the crypto 
engine. I saw no point in re-inventing the wheel so used mod_ssl as a 
starting point.

> Is NSS better than OpenSSL ? 

Both serve their purposes, choice is good. I work on the Fedora 
Directory Server and a need existed for an SSL-enabled web server. It 
made sense to use Apache but FDS uses NSS and rather than confusing 
things by having 2 separate SSL libraries I wrote mod_nss.

> If so, why not implementing everything from 
> mod_ssl with NSS and stick to it ?

I'm not sure what you're asking here. I'm not in any position to say 
library or module A is better than B. Use what fits your needs.

> Was the goal to provide new features, like OCSP ? If so, why not 
> implement them in mod_ssl ?

OCSP is a switch in NSS so all enabling it required was adding a 
configuration option to the module. PKCS#11 is the same way, it just 
came along for free with NSS.

> (Btw, a patch to add OCSP is waiting for approval - see 
> http://issues.apache.org/bugzilla/show_bug.cgi?id=41123)

Thanks for the pointer.

regards

rob