What is the difference between mod_nss and mod_ssl?
Solution 1
mod_ssl uses the OpenSSL library to implement TLS; mod_nss uses the NSS library instead. They are mutually exclusive.
mod_nss is rarely used. In fact, NSS is hardly used anywhere other than the Mozilla applications it originated with (like Firefox and Thunderbird, nowadays).
Unless you have very specific and unusual requirements which force the use of mod_nss, there is no reason to use it.
Solution 2
They're workalikes, with similar configuration and almost identical capabilities. Use whichever one works best for you.
As duskwuff says, mod_ssl is much more widely used, so you'll find more help and it might be easier for others to understand your configuration.
Personally I like the way mod_nss manages certificates better. It keeps them in a database file, and uses certutil and pk12util to manage them. certutil can easily show you a certificate chain and validate it from the certificates in your database, so you know whether the chain is valid before you start the service. Openssl still doesn't have any easy way to do that.
Related videos on Youtube
user55570
Updated on September 18, 2022Comments
-
user55570 almost 2 years
I am setting up an apache subversion server to use secure certificates for kerberos authentication with an AD domain.
I have successfully got it to work with mod_ssl with ssl.conf config below, but not with mod_nss. For mod_nss the configuration I followed is mainly from this article: https://access.redhat.com/articles/1467293. In case the link for mod_nss is inaccessible I have included the salient mod_nss conf lines below as well.
So, was just wondering whether there was any guidelines/pros/cons to use of either mod_ssl and mod_nss. Bonus if I can understand what was wrong with mod_nss. I was getting protocol errors on the client.
ssl.conf:
LoadModule ssl_module modules/mod_ssl.so Listen 443 SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin <VirtualHost _default_:443> ErrorLog logs/svn_ssl_error_log TransferLog logs/svn_ssl_access_log LogLevel debug SSLEngine on SSLProtocol TLSv1.1 TLSv1.2 SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key <Location /App_User> DAV svn SVNPath "/opt/user/App_User" AuthType Kerberos AuthName Kerberos KrbMethodNegotiate Off KrbMethodK5Passwd On KrbServiceName Any KrbAuthRealms SRV01.COMPANY.COM KrbSaveCredentials on KrbLocalUserMapping on KrbVerifyKDC Off AuthzSVNAccessFile /opt/user/access.txt require valid-user </Location> <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
nss.conf:
NSSEngine on NSSPassPhraseDialog file:/etc/httpd/alias/pin.txt NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSCipherSuite +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha, NSSCertificateDatabase /etc/httpd/alias # The name needs to match the name in the db NSSNickname rhel7-64.example.com NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSCipherSuite +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha,+rsa_rc4_128_sha NSSCertificateDatabase /etc/httpd/alias
I am running Apache version: Apache/2.2.15 on Redhat 6.9
-
Ignacio Vazquez-Abrams about 6 yearsAnd 389, NetworkManager, ceph, chromium, Discord, evolution, Java 1.8.0+, LibreOffice, poppler, sssd, Steam, systemtap, and a few other dozen I don't care about.
-
Admin about 6 years@IgnacioVazquez-Abrams As opposed to the hundreds -- possibly thousands? -- of applications that use OpenSSL? There are applications that use it, yes, but it's very distinctly not the standard choice.