Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

OpenSSL vs. Mozilla's NSS

 

 

Apache users RSS feed   Index | Next | Previous | View Threaded


tom.browder at gmail

Oct 24, 2012, 3:24 PM

Post #1 of 6 (2422 views)
Permalink
OpenSSL vs. Mozilla's NSS

Is it possible to use Apache with the NSS libraries instead of OpenSSL?

If not, has that ever been considered as an option?

Based on my struggle with OpenSSL documentation to generate my own CA
and client SSL certificates, the NSS documentation for that same task
looks like a breeze in comparison--I'm sorry I didn't find out about
it sooner. (I notice that Apple also uses NSS instead of OpenSSL.)

Best regards,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


tom.browder at gmail

Oct 24, 2012, 3:28 PM

Post #2 of 6 (2389 views)
Permalink
Re: OpenSSL vs. Mozilla's NSS [In reply to]

On Wed, Oct 24, 2012 at 5:24 PM, Tom Browder <tom.browder [at] gmail> wrote:
> Is it possible to use Apache with the NSS libraries instead of OpenSSL?

Oops, I just found mod_nss.

But I would appreciate any comments about the use of mod_ssl versus mod_nss.

Best,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


mark at catseye

Oct 24, 2012, 3:43 PM

Post #3 of 6 (2369 views)
Permalink
Re: OpenSSL vs. Mozilla's NSS [In reply to]

On October 24, 2012 18:24 , Tom Browder <tom.browder [at] gmail> wrote:
> Is it possible to use Apache with the NSS libraries instead of OpenSSL?
>
> If not, has that ever been considered as an option?
>
> Based on my struggle with OpenSSL documentation to generate my own CA
> and client SSL certificates, the NSS documentation for that same task
> looks like a breeze in comparison--I'm sorry I didn't find out about
> it sooner.

If your problems are just with generating / signing certificates, you
don't need to use the same SSL libraries that Apache HTTP Server and
mod_ssl are using. You can use mod_ssl with OpenSSL but use whatever
software you want to use for managing your certificates.

--
Mark Montague
mark [at] catseye


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


tom.browder at gmail

Oct 24, 2012, 4:03 PM

Post #4 of 6 (2401 views)
Permalink
Re: OpenSSL vs. Mozilla's NSS [In reply to]

On Wed, Oct 24, 2012 at 5:43 PM, Mark Montague <mark [at] catseye> wrote:
> On October 24, 2012 18:24 , Tom Browder <tom.browder [at] gmail> wrote:
...
>> Is it possible to use Apache with the NSS libraries instead of OpenSSL?
> If your problems are just with generating / signing certificates, you don't
> need to use the same SSL libraries that Apache HTTP Server and mod_ssl are
> using. You can use mod_ssl with OpenSSL but use whatever software you want
> to use for managing your certificates.

You are correct, but the point I was trying to make was that maybe NSS
has something to offer with cleaner code, etc., based on the quality
of the documentation compared to OpenSSL.

In the meantime I've discovered mod_nss and will look closer at that.

Best,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Oct 24, 2012, 4:05 PM

Post #5 of 6 (2371 views)
Permalink
Re: OpenSSL vs. Mozilla's NSS [In reply to]

On Wed, Oct 24, 2012 at 6:24 PM, Tom Browder <tom.browder [at] gmail> wrote:
> Is it possible to use Apache with the NSS libraries instead of OpenSSL?
>
> If not, has that ever been considered as an option?
>
> Based on my struggle with OpenSSL documentation to generate my own CA
> and client SSL certificates, the NSS documentation for that same task
> looks like a breeze in comparison--I'm sorry I didn't find out about
> it sooner. (I notice that Apple also uses NSS instead of OpenSSL.)

tinyca helps if it's only an occasional need.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


andrex at alumni

Oct 25, 2012, 6:29 AM

Post #6 of 6 (2393 views)
Permalink
Re: OpenSSL vs. Mozilla's NSS [In reply to]

> On Wed, Oct 24, 2012 at 5:24 PM, Tom Browder <tom.browder [at] gmail> wrote:
> > Is it possible to use Apache with the NSS libraries instead of OpenSSL?
>
> Oops, I just found mod_nss.
>
> But I would appreciate any comments about the use of mod_ssl versus mod_nss.

I've used both, and I now prefer mod_nss, because I find the configuration a
little easier. With mod_ssl I have to specify all of the certificate file names
in the configuration (SSLCertificateKeyFile, SSLCertificateFile,
SSLCertificateChainFile). With mod_nss I just load all of the keys and
certificates into the database, specify one mnemonic name in the configuration
(NSSNickName), and mod_nss then figures out and serves up the whole certificate
chain. I also like certutil and pk12util for managing the key+cert database.

But the functionality is identical, and the differences are minor. It's
basically going to depend on which toolset you like best - mod_ssl + openssl, or
mod_nss + certutil/pk12util.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.