@@ -, +, @@ 

    Documentation formatting fixes

    - correct few cases of  used on text that should use normal font

    - strip some redundant html tags

    - use 
 for larger command output blocks

    - correct few typos

--- a/docs/mod_nss.html	

+++ a/docs/mod_nss.html	

@@ -15,10 +15,10 @@ 

  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  See the License for the specific language governing permissions and

 -->

-  

- http-equiv="content-type">

+  <meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">

   <title>mod_nss</title>

 </head>

+

 <body>

 
mod_nss

 
Table of Contents

@@ -33,6 +33,7 @@ 

 Database Management

 Why is SSLv2 disabled?

 Frequently Asked Questions

+

 
Introduction

 The mod_ssl package was

 created in April 1998 by Ralf S.

@@ -44,9 +45,10 @@ the 

 license.

 mod_nss is based directly on the mod_ssl package from Apache

-2.0.54.  It is a conversion from using OpenSSL calls to using 

- href="http://www.mozilla.org/projects/security/pki/nss/">NSS

+2.0.54. It is a conversion from using OpenSSL calls to using

+NSS

 calls instead.

+

 
Building

 Refer to the README file included with the distribution.

@@ -173,13 +175,14 @@ module with something like:

  This will create a sample configuration file nss.conf.

 By default

 this is installed during the installation process.

+

 
Installation

 The make install target uses apxs to install the module into Apache.

 This automatically copies the mod_nss shared library to the appropriate

 location and updates Apache's httpd.conf so that the module will be

 loaded during the next restart.

-It also tries to rename ssl.conf to ssl.conf.old. 

+It also tries to rename ssl.conf to ssl.conf.old.

 The assumption is that mod_nss is replacing mod_ssl. They can co-exist

 as long as they are listening on separate ports.

@@ -196,6 +199,7 @@ following line to httpd.conf (location relative to httpd.conf):

 This has Apache load the mod_nss configuration file, nss.conf.

 It is here that you will setup your VirtualServer entries to and

 configure your SSL servers.

+

 
Certificate Generation

 A ksh script, gencert, is included to automatically

 generate a self-signed CA plus one server certificate. This is fine for

@@ -212,30 +216,31 @@ bother with the details.

 The certificate database password is httptest.

 A sample run is:

-

-# mkdir /etc/httpd/nss

-# ./gencert /etc/httpd/nss

-

-#####################################################################

-Generating new server certificate and key database. The password

-is httptest

-#####################################################################

-

-#####################################################################

-Generating self-signed client CA certificate

-#####################################################################

-

-Generating key.  This may take a few moments...

-

-[ Lots of output removed ]

-

+

+# mkdir /etc/httpd/nss

+# ./gencert /etc/httpd/nss

+

+#####################################################################

+Generating new server certificate and key database. The password

+is httptest

+#####################################################################

+

+#####################################################################

+Generating self-signed client CA certificate

+#####################################################################

+

+Generating key.  This may take a few moments...

+

+[ Lots of output removed ]

+

 You should now have the following files:

-

-/etc/httpd/nss/cert8.db

-/etc/httpd/nss/key3db

-/etc/httpd/nss/secmod.db

-

+

+/etc/httpd/nss/cert8.db

+/etc/httpd/nss/key3db

+/etc/httpd/nss/secmod.db

+

 These 3 files make up an NSS certificate database.

+

 
Server Startup

 Starting a mod_nss server is no different than starting a mod_ssl

 server. You will need to authenticate yourself to the security token

@@ -253,23 +258,21 @@ token password.

 All other output will be written to the Apache log files.

-To avoid  being prompted for a startup password you can either:

+To avoid being prompted for a startup password you can either:

-  
Use a password file that contains your token passwords. See <small><small>

- size="+2"><small><small>NSSPassPhraseDialog for details.</small></small></font></small></small>

-  
<small><small><font size="+2"><small><small>Change the internal

-token password to a blank with: 

-    </small></small></font></small></small>

+  
Use a password file that contains your token passwords. See

+NSSPassPhraseDialog for details.

+  
Change the internal token password to a blank with:

-
<small><small><font size="+2"><small><small>%

-modutil -dbdir /path/to/database/directory -changepw "NSS Certificate

-DB"

+

+% modutil -dbdir /path/to/database/directory -changepw "NSS Certificate DB"

 Enter the old password then press Enter twice for the new password to

 blank it out.

-</small></small></font></small></small>

+

+

 
Migration

-A perl script, migrate,pl, is included to help migrate an

+A perl script, migrate.pl, is included to help migrate an

 existing mod_ssl configuration to work with mod_nss. There is one

 optional argument, -c, that will try to convert your existing server

 and CA certificates plus any certificate revocation lists (CRLs) into

@@ -282,6 +285,7 @@ possible to migrate httpd.conf to use mod_nss. Simply copy httpd.conf

 to ssl.conf, run the update, then copy nss.conf to httpd.conf (after

 making a backup, of couse). This multi-step process gives you a chance

 to verify that the migration was successful.

+

 
Configuration Directives

 The following mod_ssl Directives are not applicable to mod_nss:

@@ -297,10 +301,10 @@ The following mod_ssl Directives are not applicable to mod_nss:

 Authentication is required in order to use the private key in an NSS

 certificate database. The method of this authentication is specified

-with the NSSPassPhraseDialog directive.  This directive takes one

+with the NSSPassPhraseDialog directive. This directive takes one

 argument specifying the method of authentication:

-  
builtin

+  
builtin

 
The user will be prompted to enter the

 token password for each cryptographic device. This works seemlessly

@@ -308,20 +312,20 @@ with any hardware tokens used. The default "device" is the internal

 token provided by the NSS Certificate database itself.

-  
file:/path/to/file

+  
file:/path/to/file

 
The token password(s) may be stored in

 an ASCII text file which is read during startup so the server can start

 without user intervention. The format of this file is:

-
token:password

+
token:password

 
An example for the internal token is:

-
internal:secret12

+
internal:secret12

 Example

@@ -359,7 +363,7 @@ Specifies the location of the NSS certificate database to be used. An

 NSS certificate database consists of 3 files: cert8.db, key3.db and

 secmod.db. cert8.db stores certificates and Certificate Revocation

 Lists (CRLs), key3.db stores keys and secmod.db stores information

-about available pkcs#11 modules.

+about available PKCS#11 modules.

 This directive specifies a path, not a filename.

@@ -376,13 +380,13 @@ in one directory. 

 Example

-NSSDBPrefix my-prefix-

+NSSDBPrefix my-prefix-

 You would then need: my-prefix-cert8.db, my-prefix-key3.db and secmod.db

 In order to work with files with a prefix using the NSS command-line

 tools use the -P flag.

-

+

 <font size="+2">NSSSessionCacheSize</font>

 Specifies the number of SSL sessions that can be cached. 

@@ -404,8 +408,7 @@ is silently constrained.

 The default value is 100.

-Example

- style="font-weight: bold;">

+Example

 NSSSessionCacheTimeout 100

@@ -413,7 +416,7 @@ The default value is 100.

 </big></big>

 Specifies the number of seconds SSL 3 sessions are cached.

-The valid range is 5 - 86400 seconds.  A setting outside the valid

+The valid range is 5 - 86400 seconds. A setting outside the valid

 range is silently constrained.

 The default value is 86400 (24 hours).

@@ -425,24 +428,24 @@ The default value is 86400 (24 hours).

 <big><big>NSSRandomSeed</big></big>

 Configures sources to seed the NSS Random Number Generator (RNG) at

-startup.  Currently this only supports seeding the RNG at startup.

+startup. Currently this only supports seeding the RNG at startup.

 The following sources are available:

-  
builtin: Combines the current system time, the

+  
builtin: Combines the current system time, the

 current process id

 and a randomly choosen 128-byte extract of the process stack. This is

 not a particularly strong source of entropy.

-  
file:/path/to/source: Reads from the specified file.

+  
file:/path/to/source: Reads from the specified file.

 If the number of bytes to read is specified it just reads that amount.

 Be aware that some operating systems block on /dev/random if not enough

 entropy is available. This means that the server will wait until that

-/data is available to continue startup. These systems generally offer a

+data is available to continue startup. These systems generally offer a

 non-blocking device as well, /dev/urandom.

-  
exec:/path/to/program: Executes the given program and takes

-the stdout of it as the entryop. If the bytes argument is included it

-reads that many bytes, otherwise it reads until the program exits.

+  
exec:/path/to/program: Executes the given program and takes

+the stdout of it as the entropy. If the bytes argument is included it

+reads that many bytes, otherwise it reads until the program exits.

 Example

@@ -455,10 +458,10 @@ NSSRandomSeed startup /usr/bin/makerandom

 Enables or disables the SSL protocol. This is usually used within a

 VirtualHost tag to enable SSL for a particular virtual host.

-

-SSL is disabled by default. 

-

-Example

+

+SSL is disabled by default. 

+

+Example

 NSSEngine on

@@ -479,10 +482,10 @@ The allowable ciphers are:

   
rsa_des_56_sha

   
fortezza

-

-FIPS is disabled by default.

-

-Example

+

+FIPS is disabled by default.

+

+Example

 NSSFIPS on

@@ -493,10 +496,9 @@ Enables or disables 

 (Online Certificate Status Protocol). This allows the server to check

 the validity of a client certificate before accepting it.

-OCSP

- style="font-weight: bold;"> is disabled by default.

-

-Example

+OCSP is disabled by default.

+

+Example

 NSSOCSP on

@@ -517,8 +519,7 @@ Available ciphers are:

       Cipher Name

-      NSS Cipher

-definition

+      NSS Cipher definition

       Protocol

@@ -689,8 +690,7 @@ Additionally there are a number of ECC ciphers:

       Cipher Name

-      NSS Cipher

-Definition

+      NSS Cipher Definition

       Protocol

@@ -856,20 +856,19 @@ Specify the nickname to be used for this the server certificate.

 Certificates stored in an NSS database are referred to using nicknames

 which makes accessing a specific certificate much easier. It is also

 possible to specify the certificate DN but it is easier to use a

-nickname.  If the nickname includes spaces then the value needs to

+nickname. If the nickname includes spaces then the value needs to

 be enclosed in double quotes.

-Example

- style="font-weight: bold;">

+Example

 NSSNickname Server-Cert

-NSSNickname "This contains a space"

+NSSNickname "This contains a space"

 NOTE: There is nothing magical about the string "Server-Cert." A

 nickname can be anything. Historically this was Server-Cert in the

 Netscape server products that used NSS.

-<big><big>NSSECCNickname</big></big>

+<big><big>NSSECCNickname</big></big>

 Similar to NSSNickname but designed for use with ECC certificates. This

 allows you to have both an RSA certificate and an ECC certificate

@@ -909,7 +908,7 @@ Available options are:

   
none: no client certificate

 is required or requested

-  
code>optional: a client

+  
optional: a client

 certificate is requested but if one is not available, the connection

 may continue.

@@ -935,8 +934,7 @@ also be set for this to work.

 Example

-NSSUserName SSL_CLIENT_S_DN_UID

- style="font-family: sans-serif;">

+NSSUserName SSL_CLIENT_S_DN_UID

 <big><big>

 NSSOptions</big></big> 

@@ -959,7 +957,7 @@ plus every CA certificate in the client certificate.

   
StrictRequire: Absolutely forces the connection to be forbidden

 when NSSRequireSSL or NSSRequire aren't met.

   
OptRenegotiate: Allows the SSL connection to be renegotiated

-using a different contiguration. This is designed for a per-directory

+using a different configuration. This is designed for a per-directory

 and is relatively expensive to do. For example, it can be used to force

 very strong ciphers in particular directories.

@@ -967,20 +965,19 @@ very strong ciphers in particular directories.

 All options are disabled by default.

 Example:

-

-NSSOptions +FakeBasicAuth

-<Files ~ "\.(cgi|shtml)$">

-NSSOptions +StdEnvVars

+

+NSSOptions +FakeBasicAuth

+<Files ~ "\.(cgi|shtml)$">

+NSSOptions +StdEnvVars

 <Files>

-

+

 <big><big>NSSRequireSSL</big></big>

 The request is forbidden unless the connection is using SSL. Only

 available in a per-directory context. This takes no arguments.

-Example

- style="font-weight: bold;">

+Example

 NSSRequireSSL

@@ -1040,9 +1037,9 @@ man-in-the-middle attack so leaving this as on is strongly recommended.

 Example

-NSSProcyCheckPeerCN

-on

-

+NSSProcyCheckPeerCN on

+

+

 
Environment Variables

 Quite a few environment variables (for CGI and SSI) may be set

 depending on the NSSOptions configuration. It can be expensive to set

@@ -1163,7 +1160,7 @@ certificate is valid

       SSL_CLIENT_M_VERSION

       X.509 version of the client

-certificiate

+certificate

@@ -1181,7 +1178,7 @@ certificate

       SSL_CLIENT_A_SIG

       Algorithm used for the signature

-of  the client key

+of the client key

       SSL_CLIENT_S_DN

@@ -1228,7 +1225,7 @@ certificate. Only those that exist in the certificate are created

       SSL_SERVER_M_VERSION

       X.509 version of the server

-certificiate

+certificate

       SSL_SERVER_M_SERIAL

@@ -1257,7 +1254,7 @@ time

       SSL_SERVER_A_SIG

       Algorithm used for the signature

-of  the server key

+of the server key

       SSL_SESSION_ID

@@ -1304,6 +1301,7 @@ itself).

+

 
Database Management

 NSS stores it's certificates and keys in a set of files referred to as

 the "certificate database." The files by default (with NSS 3.x) are

@@ -1437,21 +1435,19 @@ have NSS validate it:

 % certutil -V -n Server-Cert -u V -d .

 certutil: certificate is valid

+

 
Why is SSLv2 disabled?

-All major browsers (Firefox, Internet Explorer, Mozilla, Netscape,

-Opera, and

-Safari) support SSL 3 and TLS so there is no need for a web server to

-support

-SSL 2. There are some known attacks against SSL 2 that are handled by

-SSL 3/TLS. SSLv2 also doesn't support useful features like client

-authentication.

+All major browsers (Firefox, Internet Explorer, Mozilla, Netscape, Opera, and

+Safari) support SSL 3 and TLS so there is no need for a web server to support

+SSL 2. There are some known attacks against SSL 2 that are handled by SSL

+3/TLS. SSLv2 also doesn't support useful features like client authentication.

+

 
Frequently Asked Questions

 Q. Does mod_nss support mod_proxy?

 A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy

 provides a single interface for SSL providers and mod_nss defers to

-mod_ssl

-if it is loaded.

+mod_ssl if it is loaded.

 </body>

 </html>