@@ -, +, @@ Documentation formatting fixes - correct few cases of used on text that should use normal font - strip some redundant html tags - use
 for larger command output blocks
    - correct few typos
--- a/docs/mod_nss.html	
+++ a/docs/mod_nss.html	
@@ -15,10 +15,10 @@ 
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
 -->
-  
+  
   mod_nss
 
+
 
 

mod_nss

Table of Contents

@@ -33,6 +33,7 @@ Database Management
Why is SSLv2 disabled?
Frequently Asked Questions
+

Introduction

The mod_ssl package was created in April 1998 by Ralf S. @@ -44,9 +45,10 @@ the .

mod_nss is based directly on the mod_ssl package from Apache -2.0.54.  It is a conversion from using OpenSSL calls to using
NSS +2.0.54. It is a conversion from using OpenSSL calls to using +NSS calls instead.
+

Building

Refer to the README file included with the distribution.

@@ -173,13 +175,14 @@ module with something like:
 This will create a sample configuration file nss.conf. By default this is installed during the installation process.
+

Installation

The make install target uses apxs to install the module into Apache. This automatically copies the mod_nss shared library to the appropriate location and updates Apache's httpd.conf so that the module will be loaded during the next restart.

-It also tries to rename ssl.conf to ssl.conf.old.  +It also tries to rename ssl.conf to ssl.conf.old. The assumption is that mod_nss is replacing mod_ssl. They can co-exist as long as they are listening on separate ports.

@@ -196,6 +199,7 @@ following line to httpd.conf (location relative to httpd.conf):
This has Apache load the mod_nss configuration file, nss.conf. It is here that you will setup your VirtualServer entries to and configure your SSL servers.
+

Certificate Generation

A ksh script, gencert, is included to automatically generate a self-signed CA plus one server certificate. This is fine for @@ -212,30 +216,31 @@ bother with the details.
The certificate database password is httptest.

A sample run is:
-
-# mkdir /etc/httpd/nss
-# ./gencert /etc/httpd/nss
-
-#####################################################################
-Generating new server certificate and key database. The password
-is httptest
-#####################################################################
-
-#####################################################################
-Generating self-signed client CA certificate
-#####################################################################
-
-Generating key.  This may take a few moments...
-
-[ Lots of output removed ]

-
+
+# mkdir /etc/httpd/nss
+# ./gencert /etc/httpd/nss
+
+#####################################################################
+Generating new server certificate and key database. The password
+is httptest
+#####################################################################
+
+#####################################################################
+Generating self-signed client CA certificate
+#####################################################################
+
+Generating key.  This may take a few moments...
+
+[ Lots of output removed ]
+
You should now have the following files:
-
-/etc/httpd/nss/cert8.db
-/etc/httpd/nss/key3db
-/etc/httpd/nss/secmod.db

-
+
+/etc/httpd/nss/cert8.db
+/etc/httpd/nss/key3db
+/etc/httpd/nss/secmod.db
+
These 3 files make up an NSS certificate database.
+

Server Startup

Starting a mod_nss server is no different than starting a mod_ssl server. You will need to authenticate yourself to the security token @@ -253,23 +258,21 @@ token password.

All other output will be written to the Apache log files.

-To avoid  being prompted for a startup password you can either:
+To avoid being prompted for a startup password you can either:
-
% -modutil -dbdir /path/to/database/directory -changepw "NSS Certificate -DB"
+
+% modutil -dbdir /path/to/database/directory -changepw "NSS Certificate DB"

Enter the old password then press Enter twice for the new password to blank it out.
-
+
+

Migration

-A perl script, migrate,pl, is included to help migrate an +A perl script, migrate.pl, is included to help migrate an existing mod_ssl configuration to work with mod_nss. There is one optional argument, -c, that will try to convert your existing server and CA certificates plus any certificate revocation lists (CRLs) into @@ -282,6 +285,7 @@ possible to migrate httpd.conf to use mod_nss. Simply copy httpd.conf to ssl.conf, run the update, then copy nss.conf to httpd.conf (after making a backup, of couse). This multi-step process gives you a chance to verify that the migration was successful.
+

Configuration Directives

The following mod_ssl Directives are not applicable to mod_nss:
-
-
FIPS is disabled by default.
-
-Example

+
+FIPS is disabled by default.
+
+Example

NSSFIPS on

@@ -493,10 +496,9 @@ Enables or disables
-OCSP is disabled by default.
-
-Example

+OCSP is disabled by default.
+
+Example

NSSOCSP on

@@ -517,8 +519,7 @@ Available ciphers are:
Cipher Name
- NSS Cipher -definition
+ NSS Cipher definition
Protocol
@@ -689,8 +690,7 @@ Additionally there are a number of ECC ciphers:
Cipher Name
- NSS Cipher -Definition
+ NSS Cipher Definition
Protocol
@@ -856,20 +856,19 @@ Specify the nickname to be used for this the server certificate. Certificates stored in an NSS database are referred to using nicknames which makes accessing a specific certificate much easier. It is also possible to specify the certificate DN but it is easier to use a -nickname.  If the nickname includes spaces then the value needs to +nickname. If the nickname includes spaces then the value needs to be enclosed in double quotes.

-Example
+Example

NSSNickname Server-Cert
-NSSNickname "This contains a space"
+NSSNickname "This contains a space"

NOTE: There is nothing magical about the string "Server-Cert." A nickname can be anything. Historically this was Server-Cert in the Netscape server products that used NSS.

-
NSSECCNickname
+NSSECCNickname

Similar to NSSNickname but designed for use with ECC certificates. This allows you to have both an RSA certificate and an ECC certificate @@ -909,7 +908,7 @@ Available options are:
  • none: no client certificate is required or requested
  • -
  • code>optional: a client +
  • optional: a client certificate is requested but if one is not available, the connection may continue.
  • @@ -935,8 +934,7 @@ also be set for this to work.

    Example

    -NSSUserName SSL_CLIENT_S_DN_UID
    +NSSUserName SSL_CLIENT_S_DN_UID

    NSSOptions


    @@ -959,7 +957,7 @@ plus every CA certificate in the client certificate.
  • StrictRequire: Absolutely forces the connection to be forbidden when NSSRequireSSL or NSSRequire aren't met.
  • OptRenegotiate: Allows the SSL connection to be renegotiated -using a different contiguration. This is designed for a per-directory +using a different configuration. This is designed for a per-directory and is relatively expensive to do. For example, it can be used to force very strong ciphers in particular directories.
  • @@ -967,20 +965,19 @@ very strong ciphers in particular directories.
    All options are disabled by default.

    Example:
    -
    -NSSOptions +FakeBasicAuth
    -<Files ~ "\.(cgi|shtml)$">
    -NSSOptions +StdEnvVars
    +
    +NSSOptions +FakeBasicAuth
    +<Files ~ "\.(cgi|shtml)$">
    +NSSOptions +StdEnvVars
     <Files>
    -
    +

    NSSRequireSSL

    The request is forbidden unless the connection is using SSL. Only available in a per-directory context. This takes no arguments.

    -Example
    +Example

    NSSRequireSSL

    @@ -1040,9 +1037,9 @@ man-in-the-middle attack so leaving this as on is strongly recommended.

    Example

    -NSSProcyCheckPeerCN -on
    -

    +NSSProcyCheckPeerCN on
    +
    +

    Environment Variables

    Quite a few environment variables (for CGI and SSI) may be set depending on the NSSOptions configuration. It can be expensive to set @@ -1163,7 +1160,7 @@ certificate is valid
    SSL_CLIENT_M_VERSION
    X.509 version of the client -certificiate
    +certificate
    @@ -1181,7 +1178,7 @@ certificate
    SSL_CLIENT_A_SIG Algorithm used for the signature -of  the client key +of the client key SSL_CLIENT_S_DN @@ -1228,7 +1225,7 @@ certificate. Only those that exist in the certificate are created SSL_SERVER_M_VERSION
    X.509 version of the server -certificiate +certificate SSL_SERVER_M_SERIAL
    @@ -1257,7 +1254,7 @@ time SSL_SERVER_A_SIG
    Algorithm used for the signature -of  the server key +of the server key SSL_SESSION_ID
    @@ -1304,6 +1301,7 @@ itself).

    +

    Database Management

    NSS stores it's certificates and keys in a set of files referred to as the "certificate database." The files by default (with NSS 3.x) are @@ -1437,21 +1435,19 @@ have NSS validate it:

    % certutil -V -n Server-Cert -u V -d .
    certutil: certificate is valid

    +

    Why is SSLv2 disabled?

    -All major browsers (Firefox, Internet Explorer, Mozilla, Netscape, -Opera, and -Safari) support SSL 3 and TLS so there is no need for a web server to -support -SSL 2. There are some known attacks against SSL 2 that are handled by -SSL 3/TLS. SSLv2 also doesn't support useful features like client -authentication. +All major browsers (Firefox, Internet Explorer, Mozilla, Netscape, Opera, and +Safari) support SSL 3 and TLS so there is no need for a web server to support +SSL 2. There are some known attacks against SSL 2 that are handled by SSL +3/TLS. SSLv2 also doesn't support useful features like client authentication.
    +

    Frequently Asked Questions

    Q. Does mod_nss support mod_proxy?

    A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy provides a single interface for SSL providers and mod_nss defers to -mod_ssl -if it is loaded. +mod_ssl if it is loaded.