@@ -, +, @@ Documentation formatting fixes - correct few cases of used on text that should use normal font - strip some redundant html tags - use 
 for larger command output blocks
    - correct few typos
--- a/docs/mod_nss.html	
+++ a/docs/mod_nss.html	
@@ -15,10 +15,10 @@ 
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
 -->
-  
+  
   mod_nss
 
+
 
 
mod_nss

 
Table of Contents

@@ -33,6 +33,7 @@ 
 Database Management

 Why is SSLv2 disabled?

 Frequently Asked Questions

+
 
Introduction

 The mod_ssl package was
 created in April 1998 by Ralf S.
@@ -44,9 +45,10 @@ the .

 

 mod_nss is based directly on the mod_ssl package from Apache
-2.0.54.  It is a conversion from using OpenSSL calls to using NSS
+2.0.54. It is a conversion from using OpenSSL calls to using
+NSS
 calls instead.

+
 
Building

 Refer to the README file included with the distribution.

 

@@ -173,13 +175,14 @@ module with something like:

  This will create a sample configuration file nss.conf.
 By default
 this is installed during the installation process.

+
 
Installation

 The make install target uses apxs to install the module into Apache.
 This automatically copies the mod_nss shared library to the appropriate
 location and updates Apache's httpd.conf so that the module will be
 loaded during the next restart.

 

-It also tries to rename ssl.conf to ssl.conf.old. 
+It also tries to rename ssl.conf to ssl.conf.old.
 The assumption is that mod_nss is replacing mod_ssl. They can co-exist
 as long as they are listening on separate ports.

 

@@ -196,6 +199,7 @@ following line to httpd.conf (location relative to httpd.conf):

 This has Apache load the mod_nss configuration file, nss.conf.
 It is here that you will setup your VirtualServer entries to and
 configure your SSL servers.

+
 
Certificate Generation

 A ksh script, gencert, is included to automatically
 generate a self-signed CA plus one server certificate. This is fine for
@@ -212,30 +216,31 @@ bother with the details.

 The certificate database password is httptest.

 

 A sample run is:

-

-# mkdir /etc/httpd/nss

-# ./gencert /etc/httpd/nss

-

-#####################################################################

-Generating new server certificate and key database. The password

-is httptest

-#####################################################################

-

-#####################################################################

-Generating self-signed client CA certificate

-#####################################################################

-

-Generating key.  This may take a few moments...

-

-[ Lots of output removed ]

-

+
+# mkdir /etc/httpd/nss
+# ./gencert /etc/httpd/nss
+
+#####################################################################
+Generating new server certificate and key database. The password
+is httptest
+#####################################################################
+
+#####################################################################
+Generating self-signed client CA certificate
+#####################################################################
+
+Generating key.  This may take a few moments...
+
+[ Lots of output removed ]
+

 You should now have the following files:

-

-/etc/httpd/nss/cert8.db

-/etc/httpd/nss/key3db

-/etc/httpd/nss/secmod.db

-

+
+/etc/httpd/nss/cert8.db
+/etc/httpd/nss/key3db
+/etc/httpd/nss/secmod.db
+

 These 3 files make up an NSS certificate database.

+
 
Server Startup

 Starting a mod_nss server is no different than starting a mod_ssl
 server. You will need to authenticate yourself to the security token
@@ -253,23 +258,21 @@ token password.

 

 All other output will be written to the Apache log files.

 

-To avoid  being prompted for a startup password you can either:

+To avoid being prompted for a startup password you can either:

 
-
%
-modutil -dbdir /path/to/database/directory -changepw "NSS Certificate
-DB"

+

+% modutil -dbdir /path/to/database/directory -changepw "NSS Certificate DB"

 

 Enter the old password then press Enter twice for the new password to
 blank it out.

-

+

+
 
Migration

-A perl script, migrate,pl, is included to help migrate an
+A perl script, migrate.pl, is included to help migrate an
 existing mod_ssl configuration to work with mod_nss. There is one
 optional argument, -c, that will try to convert your existing server
 and CA certificates plus any certificate revocation lists (CRLs) into
@@ -282,6 +285,7 @@ possible to migrate httpd.conf to use mod_nss. Simply copy httpd.conf
 to ssl.conf, run the update, then copy nss.conf to httpd.conf (after
 making a backup, of couse). This multi-step process gives you a chance
 to verify that the migration was successful.

+
 
Configuration Directives

 The following mod_ssl Directives are not applicable to mod_nss:

 
-

-FIPS is disabled by default.

-

-Example

+

+FIPS is disabled by default.

+

+Example

 

 NSSFIPS on

 

@@ -493,10 +496,9 @@ Enables or disables 
 

-OCSP is disabled by default.

-

-Example

+OCSP is disabled by default.

+

+Example

 

 NSSOCSP on

 

@@ -517,8 +519,7 @@ Available ciphers are:

     
       Cipher Name

       
-      NSS Cipher
-definition

+      NSS Cipher definition

       
       Protocol

       
@@ -689,8 +690,7 @@ Additionally there are a number of ECC ciphers:

     
       Cipher Name

       
-      NSS Cipher
-Definition

+      NSS Cipher Definition

       
       Protocol

       
@@ -856,20 +856,19 @@ Specify the nickname to be used for this the server certificate.
 Certificates stored in an NSS database are referred to using nicknames
 which makes accessing a specific certificate much easier. It is also
 possible to specify the certificate DN but it is easier to use a
-nickname.  If the nickname includes spaces then the value needs to
+nickname. If the nickname includes spaces then the value needs to
 be enclosed in double quotes.

 

-Example

+Example

 

 NSSNickname Server-Cert

-NSSNickname "This contains a space"

+NSSNickname "This contains a space"

 

 NOTE: There is nothing magical about the string "Server-Cert." A
 nickname can be anything. Historically this was Server-Cert in the
 Netscape server products that used NSS.

 

-NSSECCNickname

+NSSECCNickname

 

 Similar to NSSNickname but designed for use with ECC certificates. This
 allows you to have both an RSA certificate and an ECC certificate
@@ -909,7 +908,7 @@ Available options are:

   
  • none: no client certificate
 is required or requested
    
   
    • 
-  
  • code>optional: a client
+  
  • optional: a client
 certificate is requested but if one is not available, the connection
 may continue.
    
   
    • 
@@ -935,8 +934,7 @@ also be set for this to work.
    
 
    
 Example
    
 
    
-NSSUserName SSL_CLIENT_S_DN_UID
    
+NSSUserName SSL_CLIENT_S_DN_UID
    
 
    
 NSSOptions     
    
 
    
@@ -959,7 +957,7 @@ plus every CA certificate in the client certificate.
   
  • StrictRequire: Absolutely forces the connection to be forbidden
 when NSSRequireSSL or NSSRequire aren't met.
    • 
   
  • OptRenegotiate: Allows the SSL connection to be renegotiated
-using a different contiguration. This is designed for a per-directory
+using a different configuration. This is designed for a per-directory
 and is relatively expensive to do. For example, it can be used to force
 very strong ciphers in particular directories.
    
   
    • 
@@ -967,20 +965,19 @@ very strong ciphers in particular directories.
    
 All options are disabled by default.
    
 
    
 Example:
    
-
    
-NSSOptions +FakeBasicAuth
    
-<Files ~ "\.(cgi|shtml)$">
    
-NSSOptions +StdEnvVars
    
+
    +NSSOptions +FakeBasicAuth
+<Files ~ "\.(cgi|shtml)$">
+NSSOptions +StdEnvVars
 <Files>
-
    
+
    
 
    
 NSSRequireSSL
    
 
    
 The request is forbidden unless the connection is using SSL. Only
 available in a per-directory context. This takes no arguments.
    
 
    
-Example
    
+Example
    
 
    
 NSSRequireSSL
    
 
    
@@ -1040,9 +1037,9 @@ man-in-the-middle attack so leaving this as on is strongly recommended.
    
 
    
 Example
    
 
    
-NSSProcyCheckPeerCN
-on
    
-
    
+NSSProcyCheckPeerCN on
    
+
    
+
 
    Environment Variables
    
 Quite a few environment variables (for CGI and SSI) may be set
 depending on the NSSOptions configuration. It can be expensive to set
@@ -1163,7 +1160,7 @@ certificate is valid
    
       SSL_CLIENT_M_VERSION
    
           
       X.509 version of the client
-certificiate
    
+certificate
    
       
     
     
@@ -1181,7 +1178,7 @@ certificate
    
     
       SSL_CLIENT_A_SIG
       Algorithm used for the signature
-of  the client key
+of the client key
     
     
       SSL_CLIENT_S_DN
@@ -1228,7 +1225,7 @@ certificate. Only those that exist in the certificate are created
       SSL_SERVER_M_VERSION
    
           
       X.509 version of the server
-certificiate
+certificate
     
     
       SSL_SERVER_M_SERIAL
    
@@ -1257,7 +1254,7 @@ time
       SSL_SERVER_A_SIG
    
           
       Algorithm used for the signature
-of  the server key
+of the server key
     
     
       SSL_SESSION_ID
    
@@ -1304,6 +1301,7 @@ itself).
    
   
 
 
    
+
 
    Database Management
    
 NSS stores it's certificates and keys in a set of files referred to as
 the "certificate database." The files by default (with NSS 3.x) are
@@ -1437,21 +1435,19 @@ have NSS validate it:
    
 
    
 % certutil -V -n Server-Cert -u V -d .
    
 certutil: certificate is valid
    
+
 
    Why is SSLv2 disabled?
    
-All major browsers (Firefox, Internet Explorer, Mozilla, Netscape,
-Opera, and
-Safari) support SSL 3 and TLS so there is no need for a web server to
-support
-SSL 2. There are some known attacks against SSL 2 that are handled by
-SSL 3/TLS. SSLv2 also doesn't support useful features like client
-authentication.
+All major browsers (Firefox, Internet Explorer, Mozilla, Netscape, Opera, and
+Safari) support SSL 3 and TLS so there is no need for a web server to support
+SSL 2. There are some known attacks against SSL 2 that are handled by SSL
+3/TLS. SSLv2 also doesn't support useful features like client authentication.
 
    
+
 
    Frequently Asked Questions
    
 Q. Does mod_nss support mod_proxy?
    
 
    
 A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
 provides a single interface for SSL providers and mod_nss defers to
-mod_ssl
-if it is loaded.
+mod_ssl if it is loaded.