Mod nss


News

Feb 20, 2014

mod_nss 1.0.9 released

July 21, 2008

mod_nss 1.0.8 released

June 1, 2007

mod_nss 1.0.7 released

October 27, 2006

mod_nss 1.0.6

October 17, 2006

mod_nss 1.0.5

Fix for a minor problem introduced with 1.0.4. NSS_Shutdown() was being called during module unload even if SSL wasn’t enable causing an error to display in the log.

October 11, 2006

mod_nss 1.0.4 is released

Merged in some changes to mod_ssl:

And some changes specific to mod_nss:

June 21, 2006

mod_nss 1.0.3 released.

March 2, 2006

January 31, 2006

mod_nss 1.0.2 is released.

September 20, 2005

mod_nss 1.0 is released.

What is mod_nss?

mod_nss is an SSL provider derived from the mod_ssl module for the Apache web server that uses the Network Security Services (NSS) libraries. We started with mod_ssl and replaced the OpenSSL calls with NSS calls.

The mod_ssl package was created in April 1998 by Ralf S. Engelschall and was originally derived from the Apache-SSL package developed by Ben Laurie. It is licensed under the Apache 2.0 license.

Why use NSS instead of OpenSSL?

Use what is best for your needs.

This module was created so the Apache web server can use the same security libraries as the former Netscape server products acquired by Red Hat, notably the Fedora Directory Server (now called 389).

NSS is also used in the Mozilla clients, such as Firefox and Thunderbird. We are co-maintainers of NSS, and it better fits our particular needs.

What features does mod_nss provide?

For the most part there is a 1-1 mapping between the capabilities of mod_nss and mod_ssl.

In short, it supports:

It does SSLv2 but it is disabled by default. We chose not to include support for SSLv2 since it has some security vulnerabilities and all major web browsers now support SSLv3, so there is no need to provide SSLv2 anymore.

Some mod_ssl directives have been removed because they don’t apply, and some new ones added. The directives dropped are:

The mod_nss directives are all prefixed with NSS. The new directives are:

Documentation

Documentation is included in the mod_nss package or you can read it http://git.fedorahosted.org/git/?p=mod_nss.git;a=blob_plain;f=docs/mod_nss.html;hb=HEAD here.

Mailing List

For questions, patchs, etc, you can the mod_nss mailing list is at https://www.redhat.com/mailman/listinfo/mod_nss-list

How compatible is mod_nss to mod_ssl?

Because mod_nss was derived from mod_ssl, and actually includes several unmodified source files, it is very compatible. OpenSSL exposes some features that NSS doesn’t, and vice versa, but for a consumer of the module they are nearly functionally identical.

It is very simple to convert an existing mod_ssl configuration for use with mod_nss, but that isn’t really our goal. mod_nss was created to satisfy our needs for NSS support within Apache, not displace mod_ssl.

What platforms does it support?

mod_nss has been tested on RHEL 5, 6 and 7, Fedora 4-21, Solaris 9 and 10 and some Ubuntu and Debian releases.

It should support Apache 2.0.x, 2.2.x and 2.4.x.

mod_nss Patches Compatibility Matrix

For pre 1.0.9 releases only:

mod_nss Patches (10/21/2013)

RHEL 5 RHEL6 Fedora 18 Fedora 19 Fedora 20 RHEL 7 bz961471
mod_nss-1.0.8.tar.gz
mod_nss-conf.patch
mod_nss-gencert.patch
mod_nss-wouldblock.patch
mod_nss-negotiate.patch
mod_nss-reverseproxy2.patch
mod_nss-PK11_ListCerts.patch
mod_nss-reseterror.patch
mod_nss-1.0.8.tar.gz
mod_nss-conf.patch
mod_nss-gencert.patch
mod_nss-wouldblock.patch
mod_nss-negotiate.patch
mod_nss-reverseproxy.patch
mod_nss-PK11_ListCerts_2.patch
mod_nss-reseterror.patch
mod_nss-lockpcache.patch
mod_nss-overlapping_memcpy.patch
mod_nss-array_overrun.patch
mod_nss-clientauth.patch
mod_nss-no_shutdown_if_not_init_2.patch
mod_nss-proxyvariables.patch
mod_nss-tlsv1_1.patch
mod_nss-sslmultiproxy.patch
mod_nss-1.0.8.tar.gz
mod_nss-conf.patch
mod_nss-gencert.patch
mod_nss-wouldblock.patch
mod_nss-negotiate.patch
mod_nss-reverseproxy.patch
mod_nss-pcachesignal.h
mod_nss-reseterror.patch
mod_nss-lockpcache.patch
mod_nss-httpd24.patch
mo_nss-overlapping_memcpy.patch
mod_nss-1.0.8.tar.gz
mod_nss-conf.patch
mod_nss-gencert.patch
mod_nss-wouldblock.patch
mod_nss-negotiate.patch
mod_nss-reverseproxy.patch

mod_nss-pcachesignal.h
mod_nss-reseterror.patch
mod_nss-lockpcache.patch
mod_nss-httpd24.patch
mod_nss-overlapping_memcpy.patch
mod_nss-man.patch
mod_nss-1.0.8.tar.gz
mod_nss-conf.patch
mod_nss-gencert.patch
mod_nss-wouldblock.patch
mod_nss-negotiate.patch
mod_nss-reverseproxy.patch

mod_nss-pcachesignal.h
mod_nss-reseterror.patch
mod_nss-lockpcache.patch
mod_nss-httpd24.patch
mod_nss-overlapping_memcpy.patch
mod_nss-man.patch
mod_nss-1.0.8.tar.gz
mod_nss-conf.patch
mod_nss-gencert.patch
mod_nss-wouldblock.patch
mod_nss-negotiate.patch
mod_nss-reverseproxy.patch
mod_nss-pcachesignal.h
mod_nss-reseterror.patch
mod_nss-lockpcache.patch
mod_nss-httpd24.patch
mod_nss-overlapping_memcpy.patch
mod_nss-man.patch
mod_nss-1.0.8.tar.gz
mod_nss-conf.patch
mod_nss-gencert.patch
mod_nss-wouldblock.patch
mod_nss-negotiate.patch
mod_nss-reverseproxy.patch
mod_nss-PK11_ListCerts_2.patch
mod_nss-pcachesignal.h
mod_nss-reseterror.patch
mod_nss-lockpcache.patch
mod_nss-httpd24.patch
mod_nss-overlapping_memcpy.patch
mod_nss-man.patch
mod_nss-array_overrun.patch
mod_nss-clientauth.patch
mod_nss-no_shutdown_if_not_init_2.patch
mod_nss-proxyvariables.patch
mod_nss-tlsv1_1.patch
mod_nss-sslmultiproxy_2.patch

Legend

BLACK = DOWNSTREAM PATCH EXISTS UPSTREAM

BLUE

= UPSTREAM PATCH DOES NOT NEED TO BE BACK PORTED DOWNSTREAM

GREEN

= DOWNSTREAM PATCH DOES NOT NEED TO BE PORTED UPSTREAM

RED

= DOWNSTREAM PATCH NEEDS TO BE PORTED UPSTREAM

ORANGE

= RESOLUTION OF BUGZILLA BUG #961471 (Fedora 18+ & RHEL 7+)

The following bug has been filed to correct this problem:

This bug has been addressed in the following builds on the following platforms:

What do I need to run mod_nss?

mod_nss requires NSS, NSPR and Apache 2.2.x. and 2.4.x. It may support Apache 2.0.x but mod_nss is no longer tested against it.

Where can I get a binary?

Some older RPMs are available for RHEL4, FC4 and FC5 can be retrieved from http://directory.fedoraproject.org/download/mod_nss

Fedora Core 5 and up ship with NSS and NSPR as system libraries so only the mod_nss RPM is required for that distribution. mod_nss is available in Fedora Core 5 and higher via:

 yum install mod_nss

Now start or restart Apache:

# /etc/init.d/httpd restart

The mod_nss configuration file can be found in /etc/httpd/conf.d/nss.conf. By default this RPM of mod_nss will listen to port 8443 so it doesn’t interfere with a current SSL server you may be running.

Most openssl private keys are not password protected, at least by default. In contrast, the NSS certificate database is usually password protected. In order to avoid being prompted at startup, a file may be used to store the token password. This file is configurable and by default is /etc/httpd/conf/password.conf (recommended owner apache, mode 0600).

When the RPM is installed a self-signed CA and server certificate are installed. The output from this generation is stored in /etc/httpd/alias/install.log.

What can I get the source?

You can download the source for mod_nss from git.fedoraproject.org. To check out the source anonymously use

 git clone http://git.fedorahosted.org/git/mod_nss.git

If you have commit access, use

 git clone ssh://git.fedorahosted.org/git/mod_nss.git

You will have to apply for commit access - see our contributing page on more information on how to get commit access.

A source tarball is available at mod_nss-1.0.9.tar.gz

How do I build it?

Refer to the README included in the distribution. In short you need the NSPR and NSS libraries, the Apache developer kit (apxs and the include headers) and a compiler. We’ve tested with gcc 3.x and Forte C v6.2 and 11.

You need to pass in the location of NSPR and NSS and if you are using your own build of Apache (as opposed to the system installed one) the path to apxs. The arguments are:

 --with-apr-config       Use apr-config to determine the APR directory  --with-apxs=PATH        Path to apxs  --with-nspr=PATH        Netscape Portable Runtime (NSPR) directory  --with-nspr-inc=PATH    Netscape Portable Runtime (NSPR) include file directory  --with-nspr-lib=PATH    Netscape Portable Runtime (NSPR) library directory  --with-nss=PATH         Network Security Services (NSS) directory  --with-nss-inc=PATH     Network Security Services (NSS) include directory  --with-nss-lib=PATH     Network Security Services (NSS) library directory  --enable-ssl2           enable the SSL v2 protocol. (default=no)  --enable-ecc            enable Elliptical Curve Cyptography (default=no)

The multiple options for NSS and NSPR are due to the two possible situations. You can have the include and library files under a single directory, say /components/nss/lib and /components/nss/include or you can have them installed in discrete directorys, say /usr/include/nss3 and /usr/lib/nss3. If you have them together you can use –with-nss. If you have them in separate locations, use –with-nss-inc and –with-nss-lib. You will likely use the later.

When building for use with adminserver, try something like this (directory names may change depending on your kernel release, etc). This assumes you are building with the Fedora Directory Server source tree.

This was done on RHEL 3:

./configure --with-apr-config --with-apxs=/usr/sbin/apxs \ --with-nspr-inc=../mozilla/dist/Linux2.4_x86_glibc_PTH_DBG.OBJ/include/ \ --with-nspr-lib=../mozilla/dist/Linux2.4_x86_glibc_PTH_DBG.OBJ/lib \ --with-nss-inc=../mozilla/dist/public/nss \ --with-nss-lib=../mozilla//dist/Linux2.4_x86_glibc_PTH_DBG.OBJ/lib/

On modern Fedora systems if you are using the system Apache you just need:

./configure --with-apr-config

Can I use my existing mod_ssl/OpenSSL certificates with mod_nss?

Yes. NSS uses a certificate database rather than discrete files. It is possible to convert the OpenSSL certificate files (these generally have .pem as the extension) for use with mod_nss. This involves converting the cert and key into a transportable file based on the PKCS #12 standard, then using an NSS utility to load it into your NSS database.

Here’s how:

% openssl pkcs12 -export -in cert.pem -inkey key.pem -out server.p12 -name \"Server-Cert\" -passout pass:foo

% certutil -N -d /path/to/database

% pk12util pk12util -i server.p12 -d /path/to/database -W foo

This loads your server certificate and gives it a “nickname.” This nickname is a short name for the certificate. This makes it easier to reference in configuration files than the certificate subject. In this case, you would set your NSSNickname value to “Server-Cert”

You will also need to import the CA certificate that issued the server certificate. In this case you don’t need the key of the CA, just the public certificate. Assuming you have the ASCII representation of it (e.g. a PEM file) you can load it as follows:

% certutil -d /path/to/database -A -n "My Local CA" -t \"CT,,\" -a -i /path/to/ca.pem

certutil and pk12util are both NSS utilities.

Why is SSL 2 disabled by default?

It has been obsolete since SSL3 was introduced in 1996 but has been kept around because of export restrictions and the fact that many sites still use it. Netcraft reports that usage is down considerably so there is no big hue and cry for it on the server side.

On the client side both Mozilla and IE7 are calling for dropping support for the protocol. By not allowing it by default in mod_nss we are forcing those who want to use it to reconsider.

How do I use the NSS command-line Utilities

Documentation on the NSS tools is available at http://www.mozilla.org/projects/security/pki/nss/tools/

Here are some common usages and some basic rules of thumb:

The possible values for trust are:

p    Valid peer
P    Trusted peer (implies p)
c    Valid CA
T    Trusted CA to issue client certificates (implies c)
C    Trusted CA to issue server certificates (SSL only)
      (implies c)
u    Certificate can be used for authentication or signing
w    Send warning (use with other attributes to inclu

Create a new NSS database

% certutil -N -d /path/to/database/dir

List all the certificates in an NSS database

% certutil -L -d /path/to/database/dir

Add a CA certificate to an NSS database

% certutil -A -d /path/to/database/dir -n "nickname" -t "CT,," -i -a < CAcert.txt

Generate a new Certificate Signing Request (CSR)

% certutil -R -d /path/to/database/dir -s "certificate DN" -o output_file -g <keysize>

The keysize is the # of bits in the private key. It can be in the range of 512-8192 bits, with a default of 1024.

In a server certificate DN the common name should have the form of: CN=fully-qualified hostname

When a client gets the certificate it compares the hostname in the URL to the CN in the subject of the certificate and if they don’t match a warning is presented to the user.

Examples include:

Verify that a certificate is valid and trusted

% certutil -V -u V -d /path/to/database/dir -n "nickname"

Load a PKCS#11 Module

% modutil -add "My Module Name" -libfile /path/to/library.so -dbdir /path/to/database/dir

This creates a pointer in secmod.db which will make the slots and tokens available. Some common commands to use with this:

List all modules:

% modutil -list -dbdir /path/to/database/dir

List all certificates on all tokens:

% certutil -L -d /path/to/database/dir -h all
Last modified on 19 November 2017