Feb 20, 2014
mod_nss 1.0.9 released
July 21, 2008
mod_nss 1.0.8 released
June 1, 2007
mod_nss 1.0.7 released
October 27, 2006
mod_nss 1.0.6
October 17, 2006
mod_nss 1.0.5
Fix for a minor problem introduced with 1.0.4. NSS_Shutdown() was being called during module unload even if SSL wasn’t enable causing an error to display in the log.
October 11, 2006
mod_nss 1.0.4 is released
Merged in some changes to mod_ssl:
And some changes specific to mod_nss:
June 21, 2006
mod_nss 1.0.3 released.
March 2, 2006
January 31, 2006
mod_nss 1.0.2 is released.
September 20, 2005
mod_nss 1.0 is released.
mod_nss is an SSL provider derived from the mod_ssl module for the Apache web server that uses the Network Security Services (NSS) libraries. We started with mod_ssl and replaced the OpenSSL calls with NSS calls.
The mod_ssl package was created in April 1998 by Ralf S. Engelschall and was originally derived from the Apache-SSL package developed by Ben Laurie. It is licensed under the Apache 2.0 license.
Use what is best for your needs.
This module was created so the Apache web server can use the same security libraries as the former Netscape server products acquired by Red Hat, notably the Fedora Directory Server (now called 389).
NSS is also used in the Mozilla clients, such as Firefox and Thunderbird. We are co-maintainers of NSS, and it better fits our particular needs.
For the most part there is a 1-1 mapping between the capabilities of mod_nss and mod_ssl.
In short, it supports:
It does SSLv2 but it is disabled by default. We chose not to include support for SSLv2 since it has some security vulnerabilities and all major web browsers now support SSLv3, so there is no need to provide SSLv2 anymore.
Some mod_ssl directives have been removed because they don’t apply, and some new ones added. The directives dropped are:
The mod_nss directives are all prefixed with NSS. The new directives are:
Documentation is included in the mod_nss package or you can read it http://git.fedorahosted.org/git/?p=mod_nss.git;a=blob_plain;f=docs/mod_nss.html;hb=HEAD here.
For questions, patchs, etc, you can the mod_nss mailing list is at https://www.redhat.com/mailman/listinfo/mod_nss-list
Because mod_nss was derived from mod_ssl, and actually includes several unmodified source files, it is very compatible. OpenSSL exposes some features that NSS doesn’t, and vice versa, but for a consumer of the module they are nearly functionally identical.
It is very simple to convert an existing mod_ssl configuration for use with mod_nss, but that isn’t really our goal. mod_nss was created to satisfy our needs for NSS support within Apache, not displace mod_ssl.
mod_nss has been tested on RHEL 5, 6 and 7, Fedora 4-21, Solaris 9 and 10 and some Ubuntu and Debian releases.
It should support Apache 2.0.x, 2.2.x and 2.4.x.
For pre 1.0.9 releases only:
mod_nss Patches (10/21/2013)
RHEL 5 | RHEL6 | Fedora 18 | Fedora 19 | Fedora 20 | RHEL 7 | bz961471 |
---|---|---|---|---|---|---|
mod_nss-1.0.8.tar.gz mod_nss-conf.patch mod_nss-gencert.patch mod_nss-wouldblock.patch mod_nss-negotiate.patch mod_nss-reverseproxy2.patch mod_nss-PK11_ListCerts.patch mod_nss-reseterror.patch |
mod_nss-1.0.8.tar.gz mod_nss-conf.patch mod_nss-gencert.patch mod_nss-wouldblock.patch mod_nss-negotiate.patch mod_nss-reverseproxy.patch mod_nss-PK11_ListCerts_2.patch mod_nss-reseterror.patch mod_nss-lockpcache.patch mod_nss-overlapping_memcpy.patch mod_nss-array_overrun.patch mod_nss-clientauth.patch mod_nss-no_shutdown_if_not_init_2.patch mod_nss-proxyvariables.patch mod_nss-tlsv1_1.patch mod_nss-sslmultiproxy.patch |
mod_nss-1.0.8.tar.gz mod_nss-conf.patch mod_nss-gencert.patch mod_nss-wouldblock.patch mod_nss-negotiate.patch mod_nss-reverseproxy.patch mod_nss-pcachesignal.h mod_nss-reseterror.patch mod_nss-lockpcache.patch mod_nss-httpd24.patch mo_nss-overlapping_memcpy.patch |
mod_nss-1.0.8.tar.gz mod_nss-conf.patch mod_nss-gencert.patch mod_nss-wouldblock.patch mod_nss-negotiate.patch mod_nss-reverseproxy.patch mod_nss-pcachesignal.h mod_nss-reseterror.patch mod_nss-lockpcache.patch mod_nss-httpd24.patch mod_nss-overlapping_memcpy.patch mod_nss-man.patch |
mod_nss-1.0.8.tar.gz mod_nss-conf.patch mod_nss-gencert.patch mod_nss-wouldblock.patch mod_nss-negotiate.patch mod_nss-reverseproxy.patch mod_nss-pcachesignal.h mod_nss-reseterror.patch mod_nss-lockpcache.patch mod_nss-httpd24.patch mod_nss-overlapping_memcpy.patch mod_nss-man.patch |
mod_nss-1.0.8.tar.gz mod_nss-conf.patch mod_nss-gencert.patch mod_nss-wouldblock.patch mod_nss-negotiate.patch mod_nss-reverseproxy.patch mod_nss-pcachesignal.h mod_nss-reseterror.patch mod_nss-lockpcache.patch mod_nss-httpd24.patch mod_nss-overlapping_memcpy.patch mod_nss-man.patch |
mod_nss-1.0.8.tar.gz mod_nss-conf.patch mod_nss-gencert.patch mod_nss-wouldblock.patch mod_nss-negotiate.patch mod_nss-reverseproxy.patch mod_nss-PK11_ListCerts_2.patch mod_nss-pcachesignal.h mod_nss-reseterror.patch mod_nss-lockpcache.patch mod_nss-httpd24.patch mod_nss-overlapping_memcpy.patch mod_nss-man.patch mod_nss-array_overrun.patch mod_nss-clientauth.patch mod_nss-no_shutdown_if_not_init_2.patch mod_nss-proxyvariables.patch mod_nss-tlsv1_1.patch mod_nss-sslmultiproxy_2.patch |
BLACK = DOWNSTREAM PATCH EXISTS UPSTREAM
= UPSTREAM PATCH DOES NOT NEED TO BE BACK PORTED DOWNSTREAM
= DOWNSTREAM PATCH DOES NOT NEED TO BE PORTED UPSTREAM
= DOWNSTREAM PATCH NEEDS TO BE PORTED UPSTREAM
= RESOLUTION OF BUGZILLA BUG #961471 (Fedora 18+ & RHEL 7+)
The following bug has been filed to correct this problem:
This bug has been addressed in the following builds on the following platforms:
mod_nss requires NSS, NSPR and Apache 2.2.x. and 2.4.x. It may support Apache 2.0.x but mod_nss is no longer tested against it.
Some older RPMs are available for RHEL4, FC4 and FC5 can be retrieved from http://directory.fedoraproject.org/download/mod_nss
Fedora Core 5 and up ship with NSS and NSPR as system libraries so only the mod_nss RPM is required for that distribution. mod_nss is available in Fedora Core 5 and higher via:
yum install mod_nss
Now start or restart Apache:
# /etc/init.d/httpd restart
The mod_nss configuration file can be found in /etc/httpd/conf.d/nss.conf. By default this RPM of mod_nss will listen to port 8443 so it doesn’t interfere with a current SSL server you may be running.
Most openssl private keys are not password protected, at least by default. In contrast, the NSS certificate database is usually password protected. In order to avoid being prompted at startup, a file may be used to store the token password. This file is configurable and by default is /etc/httpd/conf/password.conf (recommended owner apache, mode 0600).
When the RPM is installed a self-signed CA and server certificate are installed. The output from this generation is stored in /etc/httpd/alias/install.log.
You can download the source for mod_nss from git.fedoraproject.org. To check out the source anonymously use
git clone
http://git.fedorahosted.org/git/mod_nss.git
If you have commit access, use
git clone
ssh://git.fedorahosted.org/git/mod_nss.git
You will have to apply for commit access - see our contributing page on more information on how to get commit access.
A source tarball is available at mod_nss-1.0.9.tar.gz
Refer to the README included in the distribution. In short you need the NSPR and NSS libraries, the Apache developer kit (apxs and the include headers) and a compiler. We’ve tested with gcc 3.x and Forte C v6.2 and 11.
You need to pass in the location of NSPR and NSS and if you are using your own build of Apache (as opposed to the system installed one) the path to apxs. The arguments are:
--with-apr-config Use apr-config to determine the APR directory
--with-apxs=PATH Path to apxs
--with-nspr=PATH Netscape Portable Runtime (NSPR) directory
--with-nspr-inc=PATH Netscape Portable Runtime (NSPR) include file directory
--with-nspr-lib=PATH Netscape Portable Runtime (NSPR) library directory
--with-nss=PATH Network Security Services (NSS) directory
--with-nss-inc=PATH Network Security Services (NSS) include directory
--with-nss-lib=PATH Network Security Services (NSS) library directory
--enable-ssl2 enable the SSL v2 protocol. (default=no)
--enable-ecc enable Elliptical Curve Cyptography (default=no)
The multiple options for NSS and NSPR are due to the two possible situations. You can have the include and library files under a single directory, say /components/nss/lib and /components/nss/include or you can have them installed in discrete directorys, say /usr/include/nss3 and /usr/lib/nss3. If you have them together you can use –with-nss. If you have them in separate locations, use –with-nss-inc and –with-nss-lib. You will likely use the later.
When building for use with adminserver, try something like this (directory names may change depending on your kernel release, etc). This assumes you are building with the Fedora Directory Server source tree.
This was done on RHEL 3:
./configure --with-apr-config --with-apxs=/usr/sbin/apxs \
--with-nspr-inc=../mozilla/dist/Linux2.4_x86_glibc_PTH_DBG.OBJ/include/ \
--with-nspr-lib=../mozilla/dist/Linux2.4_x86_glibc_PTH_DBG.OBJ/lib \
--with-nss-inc=../mozilla/dist/public/nss \
--with-nss-lib=../mozilla//dist/Linux2.4_x86_glibc_PTH_DBG.OBJ/lib/
On modern Fedora systems if you are using the system Apache you just need:
./configure --with-apr-config
Yes. NSS uses a certificate database rather than discrete files. It is possible to convert the OpenSSL certificate files (these generally have .pem as the extension) for use with mod_nss. This involves converting the cert and key into a transportable file based on the PKCS #12 standard, then using an NSS utility to load it into your NSS database.
Here’s how:
% openssl pkcs12 -export -in cert.pem -inkey key.pem -out server.p12 -name \"Server-Cert\" -passout pass:foo
% certutil -N -d /path/to/database
% pk12util pk12util -i server.p12 -d /path/to/database -W foo
This loads your server certificate and gives it a “nickname.” This nickname is a short name for the certificate. This makes it easier to reference in configuration files than the certificate subject. In this case, you would set your NSSNickname value to “Server-Cert”
You will also need to import the CA certificate that issued the server certificate. In this case you don’t need the key of the CA, just the public certificate. Assuming you have the ASCII representation of it (e.g. a PEM file) you can load it as follows:
% certutil -d /path/to/database -A -n "My Local CA" -t \"CT,,\" -a -i /path/to/ca.pem
certutil and pk12util are both NSS utilities.
It has been obsolete since SSL3 was introduced in 1996 but has been kept around because of export restrictions and the fact that many sites still use it. Netcraft reports that usage is down considerably so there is no big hue and cry for it on the server side.
On the client side both Mozilla and IE7 are calling for dropping support for the protocol. By not allowing it by default in mod_nss we are forcing those who want to use it to reconsider.
Documentation on the NSS tools is available at http://www.mozilla.org/projects/security/pki/nss/tools/
Here are some common usages and some basic rules of thumb:
The possible values for trust are:
p Valid peer
P Trusted peer (implies p)
c Valid CA
T Trusted CA to issue client certificates (implies c)
C Trusted CA to issue server certificates (SSL only)
(implies c)
u Certificate can be used for authentication or signing
w Send warning (use with other attributes to inclu
% certutil -N -d /path/to/database/dir
% certutil -L -d /path/to/database/dir
% certutil -A -d /path/to/database/dir -n "nickname" -t "CT,," -i -a < CAcert.txt
% certutil -R -d /path/to/database/dir -s "certificate DN" -o output_file -g <keysize>
The keysize is the # of bits in the private key. It can be in the range of 512-8192 bits, with a default of 1024.
In a server certificate DN the common name should have the form of: CN=fully-qualified hostname
When a client gets the certificate it compares the hostname in the URL to the CN in the subject of the certificate and if they don’t match a warning is presented to the user.
Examples include:
% certutil -V -u V -d /path/to/database/dir -n "nickname"
% modutil -add "My Module Name" -libfile /path/to/library.so -dbdir /path/to/database/dir
This creates a pointer in secmod.db which will make the slots and tokens available. Some common commands to use with this:
List all modules:
% modutil -list -dbdir /path/to/database/dir
List all certificates on all tokens:
% certutil -L -d /path/to/database/dir -h all