Option |
Description |
--with-nss=[PATH] |
The file system path to the NSS
installation. The assumption is that this has the layout of: PATH/lib,
PATH/include, etc. |
--with-nss-inc=PATH |
The file system path to the NSS
include directory (e.g. /usr/local/include/nss3) |
--with-nss-lib=PATH |
The file system path to the NSS
lib directory (e.g. /usr/local/lib) |
--with-nspr=[PATH] |
The file system path of the NSPR installation. The assumption is that this has the layout of: PATH/lib, PATH/include, etc. |
--with-nspr-inc=PATH |
The file system path to the NSPR
include directory (e.g. /usr/local/include/nspr4) |
--with-nspr-lib=PATH |
The file system path to the NSPR
lib directory (e.g. /usr/local/lib) |
--with-apxs=[PATH] |
The location of the apxs binary
of the Apache you want to install the module into. |
--with-apr-config=[PATH] | The location of apr-config which
tells us where the APR include files and libraries are located |
--enable-ssl2 |
SSLv2 is disabled by default. |
--enable-ecc |
Enable Elliptical Curve
Cryptography. Disabled by default. |
% ./configure --with-apxs=/path/to/apxs/
--with-nspr=/path/to/nspr/ --with-nss=/path/to/nss/
% gmake
nss.conf
.
By default
this is installed during the installation process.ssl.conf
to ssl.conf.old
.
The assumption is that mod_nss is replacing mod_ssl. They can co-exist
as long as they are listening on separate ports.nss.conf
, is copied into
the Apache
configuration directory (as reported by apxs). You may need to make a
manual change to httpd.conf to load this file. If you have a Red
Hat-style Apache installation with a conf.d just move nss.conf there.
It will be automatically loaded. Otherwise you will need to add the
following line to httpd.conf (location relative to httpd.conf):Include conf/nss.conf
nss.conf
.
It is here that you will setup your VirtualServer entries to and
configure your SSL servers.gencert
, is included to automatically
generate a self-signed CA plus one server certificate. This is fine for
testing purposes but it is strongly recommended that a real server
certificate be obtained from a real CA before moving a mod_nss server
into production. Users should be expected to cancel any request to a
secure server signed by an unknown issuer.gencert
takes one argument, the path to the location of
the certificate database. A fair amount of output is generated so you
can follow what is going on. For the most part most don't need to
bother with the details.# mkdir /etc/httpd/nss
# ./gencert /etc/httpd/nss
#####################################################################
Generating new server certificate and key database. The password
is httptest
#####################################################################
#####################################################################
Generating self-signed client CA certificate
#####################################################################
Generating key. This may take a few moments...
[ Lots of output removed ]
/etc/httpd/nss/cert8.db
/etc/httpd/nss/key3db
/etc/httpd/nss/secmod.db
<IfDefine SSL>
so you do not need to use the
startssl argument with apachectl
. % apachectl start
Please enter password for "internal" token:
%
modutil -dbdir /path/to/database/directory -changepw "NSS Certificate
DB"
migrate,pl
, is included to help migrate an
existing mod_ssl configuration to work with mod_nss. There is one
optional argument, -c, that will try to convert your existing server
and CA certificates plus any certificate revocation lists (CRLs) into
an NSS certificate database.NSSPassPhraseDialog builtin
NSSPassPhraseHelper /path/to/nss_pcache
NSSCertificateDatabase /etc/httpd/conf/nss
NSSDBPrefix my-prefix-
You would then need: my-prefix-cert8.db, my-prefix-key3.db and secmod.db
In order to work with files with a prefix using the NSS command-line
tools use the -P flag.
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
builtin:
Combines the current system time, the
current process id
and a randomly choosen 128-byte extract of the process stack. This is
not a particularly strong source of entropy.file:/path/to/source:
Reads from the specified file.
If the number of bytes to read is specified it just reads that amount.
Be aware that some operating systems block on /dev/random if not enough
entropy is available. This means that the server will wait until that
/data is available to continue startup. These systems generally offer a
non-blocking device as well, /dev/urandom.exec:/path/to/program: Executes the given program and takes
the stdout of it as the entryop. If the bytes argument is included it
reads that many bytes, otherwise it reads until the program exits.
NSSRandomSeed startup builtin
NSSRandomSeed startup /dev/urandom 512
NSSRandomSeed startup /usr/bin/makerandom
NSSEngine on
NSSFIPS on
NSSOCSP on
+
to enable or -
to disable.Cipher Name |
NSS Cipher
definition |
Protocol |
des |
SSL_EN_DES_64_CBC_WITH_MD5 |
SSLv2 |
desede3 |
SSL_EN_DES_192_EDE3_CBC_WITH_MD5 |
SSLv2 |
rc2 |
SSL_EN_RC2_128_CBC_WITH_MD5 |
SSLv2 |
rc2export |
SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 |
SSLv2 |
rc4 |
SSL_EN_RC4_128_WITH_MD5 |
SSLv2 |
rc4export |
SSL_EN_RC4_128_EXPORT40_WITH_MD5 |
SSLv2 |
rsa_3des_sha |
SSL_RSA_WITH_3DES_EDE_CBC_SHA |
SSLv3/TLSv1 |
rsa_des_sha |
SSL_RSA_WITH_DES_CBC_SHA |
SSLv3/TLSv1 |
rsa_null_md5 |
SSL_RSA_WITH_NULL_MD5 |
SSLv3/TLSv1 |
rsa_null_sha |
SSL_RSA_WITH_NULL_SHA |
SSLv3/TLSv1 |
rsa_rc2_40_md5 | SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 |
SSLv3/TLSv1 |
rsa_rc4_128_md5 | SSL_RSA_WITH_RC4_128_MD5 |
SSLv3/TLSv1 |
rsa_rc4_128_sha | SSL_RSA_WITH_RC4_128_SHA |
SSLv3/TLSv1 |
rsa_rc4_40_md5 | SSL_RSA_EXPORT_WITH_RC4_40_MD5 |
SSLv3/TLSv1 |
fortezza |
SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA |
SSLv3/TLSv1 |
fortezza_rc4_128_sha |
SSL_FORTEZZA_DMS_WITH_RC4_128_SHA |
SSLv3/TLSv1 |
fortezza_null |
SSL_FORTEZZA_DMS_WITH_NULL_SHA |
SSLv3/TLSv1 |
fips_des_sha |
SSL_RSA_FIPS_WITH_DES_CBC_SHA |
SSLv3/TLSv1 |
fips_3des_sha |
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA |
SSLv3/TLSv1 |
rsa_des_56_sha | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA |
SSL3/TLSv1 |
rsa_rc4_56_sha | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA |
SSLv3/TLSv1 |
rsa_aes_128_sha |
TLS_RSA_WITH_AES_128_CBC_SHA |
SSLv3/TLSv1 |
rsa_aes_256_sha |
TLS_RSA_WITH_AES_256_CBC_SHA |
SSLv3/TLSv1 |
Cipher Name |
NSS Cipher
Definition |
Protocol |
ecdh_ecdsa_null_sha | TLS_ECDH_ECDSA_WITH_NULL_SHA | TLSv1 |
ecdh_ecdsa_rc4_128_sha | TLS_ECDH_ECDSA_WITH_RC4_128_SHA | TLSv1 |
ecdh_ecdsa_3des_sha | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | TLSv1 |
ecdh_ecdsa_aes_128_sha | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | TLSv1 |
ecdh_ecdsa_aes_256_sha | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | TLSv1 |
ecdhe_ecdsa_null_sha | TLS_ECDHE_ECDSA_WITH_NULL_SHA | TLSv1 |
ecdhe_ecdsa_rc4_128_sha | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | TLSv1 |
ecdhe_ecdsa_3des_sha | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | TLSv1 |
ecdhe_ecdsa_aes_128_sha | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | TLSv1 |
ecdhe_ecdsa_aes_256_sha | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | TLSv1 |
ecdh_rsa_null_sha | TLS_ECDH_RSA_WITH_NULL_SHA | TLSv1 |
ecdh_rsa_128_sha | TLS_ECDH_RSA_WITH_RC4_128_SHA | TLSv1 |
ecdh_rsa_3des_sha | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | TLSv1 |
ecdh_rsa_aes_128_sha | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | TLSv1 |
ecdh_rsa_aes_256_sha | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | TLSv1 |
echde_rsa_null | TLS_ECDHE_RSA_WITH_NULL_SHA | TLSv1 |
ecdhe_rsa_rc4_128_sha | TLS_ECDHE_RSA_WITH_RC4_128_SHA | TLSv1 |
ecdhe_rsa_3des_sha | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | TLSv1 |
ecdhe_rsa_aes_128_sha | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLSv1 |
ecdhe_rsa_aes_256_sha | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLSv1 |
ecdh_anon_null_sha | TLS_ECDH_anon_WITH_NULL_SHA | TLSv1 |
ecdh_anon_rc4_128sha | TLS_ECDH_anon_WITH_RC4_128_SHA | TLSv1 |
ecdh_anon_3des_sha | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | TLSv1 |
ecdh_anon_aes_128_sha | TLS_ECDH_anon_WITH_AES_128_CBC_SHA | TLSv1 |
ecdh_anon_aes_256_sha | TLS_ECDH_anon_WITH_AES_256_CBC_SHA | TLSv1 |
NSSCipherSuite
+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,
-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,
+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha
SSLv3
TLSv1
All
NSSProtocol SSLv3,TLSv1
NSSNickname Server-Cert
NSSNickname "This contains a space"
NOTE: There is nothing magical about the string "Server-Cert." A
nickname can be anything. Historically this was Server-Cert in the
Netscape server products that used NSS.
NSSECCNicknameNSSNickname Server-Cert-ECC
NSSEnforceValidCerts on
none
: no client certificate
is required or requestedrequire
: a valid client
certificate is required for the connection to continue.option_no_ca
is not supported.NSSVerifyDepth
directive. NSS always verifies
the entire certificate chain.NSSVerifyClient require
NSSUserName SSL_CLIENT_S_DN_UID
SSL_CLIENT_CERT
, SSL_CLIENT_CERT_CHAIN[0..n]
and
SSL_SERVER_CERT
. This provides additional
certificate information on the client and server to the environment,
plus every CA certificate in the client certificate.NSSOptions +FakeBasicAuth
<Files ~ "\.(cgi|shtml)$">
NSSOptions +StdEnvVars
<Files>
NSSRequireSSL
NSSRequire
NSSProxyEngine on
NSSProxyProtocol SSLv3
NSSProxyCipherSuite
+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5
NSSProxyNickname beta
Name |
Description |
HTTPS |
Set to "on" if HTTPS is being
used |
Name |
Description |
SSL_VERSION_INTERFACE |
The version of mod_nss the
server is running |
SSL_VERSION_LIBRARY |
The version of NSS that mod_nss
was compiled against. |
SSL_PROTOCOL |
SSLv2, SSLv3 or TLSv1 |
SSL_CIPHER |
The cipher the connection is
using |
SSL_CIPHER_EXPORT |
true if the cipher is an export
cipher, false otherwise |
SSL_CIPHER_USEKEYSIZE |
Number if bits the cipher is
using |
SSL_CIPHER_ALGKEYSIZE |
Max number of bits possible in
the cipher |
SSL_CLIENT_VERIFY |
NONE if no client auth, SUCCESS
or FAILED if SSLVerifyCert is set |
SSL_CLIENT_V_START |
Client certificate validity
start time |
SSL_CLIENT_V_END |
Client certificate validity end time |
SSL_CLIENT_V_REMAIN |
Number of days that the
certificate is valid |
SSL_CLIENT_M_VERSION |
X.509 version of the client
certificiate |
SSL_CLIENT_M_SERIAL |
Serial number of the client
certificate |
SSL_CLIENT_A_KEY |
Algorithm used for client key |
SSL_CLIENT_A_SIG |
Algorithm used for the signature of the client key |
SSL_CLIENT_S_DN |
Distinguished Name (DN) of the client certificate |
SSL_CLIENT_S_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email] |
Components of the client
certificate. Only those that exist in the certificate are created. |
SSL_CLIENT_I_DN |
Distinguished Name (DN) of the
client certificate issuer |
SSL_CLIENT_I_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email] |
Components of the client issuer certificate. Only those that exist in the certificate are created |
SSL_SERVER_DN |
Distinguished Name (DN) of the
server certificate |
SSL_SERVER_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email] |
Components of the server certificate. Only those that exist in the certificate are created |
SSL_SERVER_I_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email] |
Components of the server issuer certificate. Only those that exist in the certificate are created |
SSL_SERVER_M_VERSION |
X.509 version of the server certificiate |
SSL_SERVER_M_SERIAL |
Serial number of the server certificate |
SSL_SERVER_V_START |
Server certificate validity start time |
SSL_SERVER_V_END |
Server certificate validity end time |
SSL_SERVER_A_KEY |
Algorithm used for server key |
SSL_SERVER_A_SIG |
Algorithm used for the signature of the server key |
SSL_SESSION_ID |
SSL Session ID |
Name |
Description |
SSL_SERVER_CERT |
The server certificate in PEM
format. |
SSL_CLIENT_CERT |
The client certificate in PEM
format (if available) |
SSL_CLIENT_CERT_CHAIN_[0..n] |
Each certificate in the client
certificate chain in PEM format (including the client certificate
itself). |
Tool |
Description |
certutil |
Generate Certificate Signing
Requests, install certificates and manage certificate trust flags. |
crlutil |
Manage certificate revocation lists (CRLs). |
modutil |
Manage the database of PKCS11 modules (secmod.db). Add modules and modify the properties of existing modules (such as whether a module is the default provider of some crypto service). |
pk12util | Import and export keys and certificates in PKCS12 format. |
Description |
Command |
Create a Database |
certutil -N -d [path] |
List all Certificates |
certutil -L -d [path] |
Extract a cert (Server-Cert) in
ASCII |
certutil -L -n Server-Cert -d
[path] -a |
Extract a cert and key
(Server-Cert) in PKCS#12 |
pk12util -o server.p12 -n
Server-Cert -d [path] |
Import a cert and key
(Import-Me) from PKCS#12 |
pk12util -i server.p12 -n
Import-Me -d [path] |
% openssl pkcs12 -export -in /path/to/certificate -inkey
/path/to/keyfile -out server.p12 -name "Server-Cert" -passout pass:foo
% pk12util -i server.p12 -d [path] -W foo
% certutil -A -n "myca" -t "CT,," -d [path] -a -i
/path/to/cacertificate
% openssl crl -in /path/to/crlfile -out /tmp/crl.tmp -inform PEM
-outform DER
% crlutil -I -t 1 -d [path] -i /tmp/crl.tmp
% certutil -V -n Server-Cert -u V -d .
certutil: certificate is valid
1038,1039c1038,1039
< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
---
> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
1041,1042c1041,1042
< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable =
NULL;
< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable
= NULL;
---
> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable =
NULL;
> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable
= NULL;
1069,1070c1069,1070
< proxy_ssl_enable =
APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
< proxy_ssl_disable =
APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
---
> proxy_ssl_enable =
APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);
> proxy_ssl_disable =
APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);