What is the difference between mod_nss and mod_ssl?

I am setting up an apache subversion server to use secure certificates for kerberos authentication with an AD domain.

I have successfully got it to work with mod_ssl with ssl.conf config below, but not with mod_nss. For mod_nss the configuration I followed is mainly from this article: https://access.redhat.com/articles/1467293. In case the link for mod_nss is inaccessible I have included the salient mod_nss conf lines below as well.

So, was just wondering whether there was any guidelines/pros/cons to use of either mod_ssl and mod_nss. Bonus if I can understand what was wrong with mod_nss. I was getting protocol errors on the client.

ssl.conf:

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>

ErrorLog logs/svn_ssl_error_log
TransferLog logs/svn_ssl_access_log
LogLevel debug
SSLEngine on

SSLProtocol TLSv1.1 TLSv1.2

SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<Location /App_User>
  DAV svn
  SVNPath "/opt/user/App_User"
  AuthType Kerberos
  AuthName Kerberos
  KrbMethodNegotiate Off
  KrbMethodK5Passwd On
  KrbServiceName Any
  KrbAuthRealms SRV01.COMPANY.COM
  KrbSaveCredentials on
  KrbLocalUserMapping on
  KrbVerifyKDC Off
  AuthzSVNAccessFile /opt/user/access.txt
  require valid-user
</Location>

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>   

nss.conf:

NSSEngine on
NSSPassPhraseDialog file:/etc/httpd/alias/pin.txt
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSCipherSuite +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha,
NSSCertificateDatabase /etc/httpd/alias
# The name needs to match the name in the db
NSSNickname rhel7-64.example.com
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSCipherSuite +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha,+rsa_rc4_128_sha
NSSCertificateDatabase /etc/httpd/alias

I am running Apache version: Apache/2.2.15 on Redhat 6.9


Solution 1:

mod_ssl uses the OpenSSL library to implement TLS; mod_nss uses the NSS library instead. They are mutually exclusive.

mod_nss is rarely used. In fact, NSS is hardly used anywhere other than the Mozilla applications it originated with (like Firefox and Thunderbird, nowadays).

Unless you have very specific and unusual requirements which force the use of mod_nss, there is no reason to use it.

Solution 2:

They're workalikes, with similar configuration and almost identical capabilities. Use whichever one works best for you.

As duskwuff says, mod_ssl is much more widely used, so you'll find more help and it might be easier for others to understand your configuration.

Personally I like the way mod_nss manages certificates better. It keeps them in a database file, and uses certutil and pk12util to manage them. certutil can easily show you a certificate chain and validate it from the certificates in your database, so you know whether the chain is valid before you start the service. Openssl still doesn't have any easy way to do that.