31.7 Setting Up a Secure Web Server with NSS

The mod_nss module provides strong encryption using the transport layer security (TLS) protocols version 1.1 and 1.2 that are not available when using Apache with mod_ssl.

SSL/TLS support in the apache2 package is normally provided by mod_ssl, the apache module that provides SSL/TLS using the the openssl cryptographic library. The version of the openssl library used in SUSE Linux Enterprise Server 11 SP4 supports TLS of version 1.0 only. TLS 1.1 and 1.2 support can only be provided by versions that are not compatible with the large variety of packages contained in SLE 11 SP4. The alternative is to make use of the Mozilla Network Security Services library provided by the mozilla-nss package.

NOTE: Support for SSLv2

The SSLv2 support is not provided by mod_nss. If you require the SSLv2 protocol, you need to use mod_ssl.

Both mod_ssl and mod_nss can be initialized at the same time, but the protocol handlers (SSLEngine on for mod_ssl and NSSEngine on for mod_nss) cannot be active simultaneously, at a global scope, or in the context of a VirtualHost configuration directive block.

If only one VirtualHost section has the directive NSSEngine set to on, it will have precedence over all other VirtualHost declarations (that may have SSLEngine set to on in their context), for a port that Apache listens on. A simultaneaous operation of both modules for different VirtualHosts on the same IP address and port is not possible. If you need support for encrypted connections using both mod_nss and mod_ssl, you should consider using more than one IP address and configuring the server's cryptographic modules to be bound to their IP addresses. If you do not need both cryptographic modules simultaneaously, it is recommended to decide on one and deactivate the other.

Because mmod_nss uses a database format for the server and CA certificates and the private key, existing mod_ssl-based certificates need to be converted for the use with mmod_nss. The package apache2-mod_nss contains the perl script /usr/sbin/mod_nss_migrate.pl for this task. The script creates a new database.

To list the certificates contained in the NSS database, use the following command:

certutil -d /etc/apache2/mod_nss.d -L

For more information about the certutil NSS database management utility, use certutil --help.

The default configuration file that comes with the mod_nss package is /etc/apache2/conf.d/mod_nss.conf. Read the comments in the file for more information.