The token password(s) may be stored in
- an ASCII text file which is read during startup so the server can start
- without user intervention. The format of this file is:
internal:secret12
-+
internal:secret12
-
-
-
Example
-@@ -359,7 +363,7 @@ Specifies the location of the NSS certificate database to be used. An
- NSS certificate database consists of 3 files: cert8.db, key3.db and
- secmod.db. cert8.db stores certificates and Certificate Revocation
- Lists (CRLs), key3.db stores keys and secmod.db stores information
--about available pkcs#11 modules.
-+about available PKCS#11 modules.
-
- This directive specifies a path, not a filename.
-
-@@ -376,13 +380,13 @@ in one directory.
-
-
Example
-
--
NSSDBPrefix my-prefix-
-+NSSDBPrefix my-prefix-
-
- You would then need: my-prefix-cert8.db, my-prefix-key3.db and secmod.db
-
- In order to work with files with a prefix using the NSS command-line
- tools use the -P flag.
--
-+
-
NSSSessionCacheSize
-
- Specifies the number of SSL sessions that can be cached.
-@@ -404,8 +408,7 @@ is silently constrained.
-
- The default value is 100.
-
--
Example
-+
Example
-
-
NSSSessionCacheTimeout 100
-
-@@ -413,7 +416,7 @@ The default value is 100.
-
- Specifies the number of seconds SSL 3 sessions are cached.
-
--The valid range is 5 - 86400 seconds. A setting outside the valid
-+The valid range is 5 - 86400 seconds. A setting outside the valid
- range is silently constrained.
-
- The default value is 86400 (24 hours).
-@@ -425,24 +428,24 @@ The default value is 86400 (24 hours).
-
NSSRandomSeed
-
- Configures sources to seed the NSS Random Number Generator (RNG) at
--startup. Currently this only supports seeding the RNG at startup.
-+startup. Currently this only supports seeding the RNG at startup.
-
-
- The following sources are available:
-
-- builtin:
Combines the current system time, the
-+ builtin
: Combines the current system time, the
- current process id
- and a randomly choosen 128-byte extract of the process stack. This is
- not a particularly strong source of entropy.
-- file:/path/to/source:
Reads from the specified file.
-+ file:/path/to/source
: Reads from the specified file.
- If the number of bytes to read is specified it just reads that amount.
- Be aware that some operating systems block on /dev/random if not enough
- entropy is available. This means that the server will wait until that
--/data is available to continue startup. These systems generally offer a
-+data is available to continue startup. These systems generally offer a
- non-blocking device as well, /dev/urandom.
-- exec:/path/to/program: Executes the given program and takes
--the stdout of it as the entryop. If the bytes argument is included it
--reads that many bytes, otherwise it reads until the program exits.
-+ exec:/path/to/program
: Executes the given program and takes
-+the stdout of it as the entropy. If the bytes argument is included it
-+reads that many bytes, otherwise it reads until the program exits.
-
-
-
Example
-@@ -455,10 +458,10 @@ NSSRandomSeed startup /usr/bin/makerandom
-
- Enables or disables the SSL protocol. This is usually used within a
- VirtualHost tag to enable SSL for a particular virtual host.
--
--SSL is disabled by default.
--
--Example
-+
-+SSL is disabled by default.
-+
-+Example
-
-
NSSEngine on
-
-@@ -479,10 +482,10 @@ The allowable ciphers are:
-
rsa_des_56_sha
-
fortezza
-
--
--FIPS is disabled by default.
--
--Example
-+
-+FIPS is disabled by default.
-+
-+Example
-
-
NSSFIPS on
-
-@@ -493,10 +496,9 @@ Enables or disables
-
--OCSP is disabled by default.
--
--Example
-+OCSP is disabled by default.
-+
-+Example
-
- NSSOCSP on
-
-@@ -517,8 +519,7 @@ Available ciphers are:
-
- Cipher Name
- |
-- NSS Cipher
--definition
-+ | NSS Cipher definition
- |
- Protocol
- |
-@@ -689,8 +690,7 @@ Additionally there are a number of ECC ciphers:
-
- Cipher Name
- |
-- NSS Cipher
--Definition
-+ | NSS Cipher Definition
- |
- Protocol
- |
-@@ -856,20 +856,19 @@ Specify the nickname to be used for this the server certificate.
- Certificates stored in an NSS database are referred to using nicknames
- which makes accessing a specific certificate much easier. It is also
- possible to specify the certificate DN but it is easier to use a
--nickname. If the nickname includes spaces then the value needs to
-+nickname. If the nickname includes spaces then the value needs to
- be enclosed in double quotes.
-
--Example
-+Example
-
- NSSNickname Server-Cert
--NSSNickname "This contains a space"
-+NSSNickname "This contains a space"
-
- NOTE: There is nothing magical about the string "Server-Cert." A
- nickname can be anything. Historically this was Server-Cert in the
- Netscape server products that used NSS.
-
--
NSSECCNickname
-+NSSECCNickname
-
- Similar to NSSNickname but designed for use with ECC certificates. This
- allows you to have both an RSA certificate and an ECC certificate
-@@ -909,7 +908,7 @@ Available options are:
- none
: no client certificate
- is required or requested
-
-- code>optional: a client
-+ optional
: a client
- certificate is requested but if one is not available, the connection
- may continue.
-
-@@ -935,8 +934,7 @@ also be set for this to work.
-
- Example
-
--NSSUserName SSL_CLIENT_S_DN_UID
-+NSSUserName SSL_CLIENT_S_DN_UID
-
- NSSOptions
-
-@@ -959,7 +957,7 @@ plus every CA certificate in the client certificate.
- StrictRequire: Absolutely forces the connection to be forbidden
- when NSSRequireSSL or NSSRequire aren't met.
- OptRenegotiate: Allows the SSL connection to be renegotiated
--using a different contiguration. This is designed for a per-directory
-+using a different configuration. This is designed for a per-directory
- and is relatively expensive to do. For example, it can be used to force
- very strong ciphers in particular directories.
-
-@@ -967,20 +965,19 @@ very strong ciphers in particular directories.
- All options are disabled by default.
-
- Example:
--
--NSSOptions +FakeBasicAuth
--<Files ~ "\.(cgi|shtml)$">
--NSSOptions +StdEnvVars
-+
-+NSSOptions +FakeBasicAuth
-+<Files ~ "\.(cgi|shtml)$">
-+NSSOptions +StdEnvVars
- <Files>
--
-+
-
- NSSRequireSSL
-
- The request is forbidden unless the connection is using SSL. Only
- available in a per-directory context. This takes no arguments.
-
--Example
-+Example
-
- NSSRequireSSL
-
-@@ -1040,9 +1037,9 @@ man-in-the-middle attack so leaving this as on is strongly recommended.
-
- Example
-
--NSSProcyCheckPeerCN
--on
--
-+NSSProcyCheckPeerCN on
-+
-+
- Environment Variables
- Quite a few environment variables (for CGI and SSI) may be set
- depending on the NSSOptions configuration. It can be expensive to set
-@@ -1163,7 +1160,7 @@ certificate is valid
- SSL_CLIENT_M_VERSION
- |
- X.509 version of the client
--certificiate
-+certificate
- |
-
-
-@@ -1181,7 +1178,7 @@ certificate
-
- SSL_CLIENT_A_SIG |
- Algorithm used for the signature
--of the client key |
-+of the client key
-
-
- SSL_CLIENT_S_DN |
-@@ -1228,7 +1225,7 @@ certificate. Only those that exist in the certificate are created
- SSL_SERVER_M_VERSION
- |
- X.509 version of the server
--certificiate |
-+certificate
-
-
- SSL_SERVER_M_SERIAL
-@@ -1257,7 +1254,7 @@ time |
- SSL_SERVER_A_SIG
- |
- Algorithm used for the signature
--of the server key |
-+of the server key
-
-
- SSL_SESSION_ID
-@@ -1304,6 +1301,7 @@ itself).
-
-
-
-+
- Database Management
- NSS stores it's certificates and keys in a set of files referred to as
- the "certificate database." The files by default (with NSS 3.x) are
-@@ -1437,21 +1435,19 @@ have NSS validate it:
-
- % certutil -V -n Server-Cert -u V -d .
- certutil: certificate is valid
-+
- Why is SSLv2 disabled?
--All major browsers (Firefox, Internet Explorer, Mozilla, Netscape,
--Opera, and
--Safari) support SSL 3 and TLS so there is no need for a web server to
--support
--SSL 2. There are some known attacks against SSL 2 that are handled by
--SSL 3/TLS. SSLv2 also doesn't support useful features like client
--authentication.
-+All major browsers (Firefox, Internet Explorer, Mozilla, Netscape, Opera, and
-+Safari) support SSL 3 and TLS so there is no need for a web server to support
-+SSL 2. There are some known attacks against SSL 2 that are handled by SSL
-+3/TLS. SSLv2 also doesn't support useful features like client authentication.
-
-+
- Frequently Asked Questions
- Q. Does mod_nss support mod_proxy?
-
- A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
- provides a single interface for SSL providers and mod_nss defers to
--mod_ssl
--if it is loaded.
-+mod_ssl if it is loaded.
-
- |