I got yer crypto right here

I am tremendously excited to see that the boys at RHAT have put together mod_nss, a module that uses Mozilla’s NSS to provide SSL services to Apache. Woot!

I don’t know why there isn’t a parade over this, honestly.

one comment to “I got yer crypto right here”

  1. entered 20 September 2005 @ 7:29 pm

    Is there any parade-worthy benefit to folks not using NSS-enabled technology currently?

    Cluelessly yours,

    –david

  2. Remy
    entered 21 September 2005 @ 12:58 am

    Ok, what benefits are there to using NSS over OpenSSL, which has been tested and known to be efficient/reliable in heavily multi-threaded apps? And I’m not sure how much community review has gone into testing NSS for security vulnerabilities. Perhaps you can elaborate on this.

  3. i5mast
    entered 21 September 2005 @ 11:07 am

    NSS is the granddaddy implementation of SSL. Remember that SSL was invented at Netscape. I think it is the most widely tested SSL implementation.

  4. entered 21 September 2005 @ 12:02 pm

    As i5mast mentioned, NSS is a descendant of the original SSL libraries. It’s used in products from Sun, Red Hat, Mozilla and others. Here’s a good over view of NSS: http://www.mozilla.org/projects/security/pki/nss/overview.html

    In terms of review, NSS has also undergone FIPS 140 validation (a U.S. government standard) conducted by a 3rd party testing lab. See http://www.mozilla.org/projects/security/pki/nss/fips/ We are refreshing our FIPS 140 validation, and are posting all of our working documents on the web. That way if another vendor wishes to obtain FIPS 140 validation of NSS for a different platform, or for a different release of NSS, they may do so at a much reduced cost (it’s very expensive in terms of time, and money). See http://wiki.mozilla.org/FIPS_Validation

    Since we maintain the NSS crypto module of Mozilla, several Red Hat products, etc. it’s easier for us to also have a version of the crypto libraries that we know and maintain. It’s not going to be right for everyone, and it’s still a very early release. But we thought we’d contribute it and invite people to help build it out, to inspect the code, test it, or contribute in whatever way they see fit.

    -Bob Lord (Pointy haired engineering director from Red Hat)

  5. Remy
    entered 21 September 2005 @ 9:04 pm

    @i5mast: > I think it is the most widely tested SSL implementation. I can’t agree with you there. It has been around for longer, but it is not the most widely used/scrutinized SSL library.

    @Bob Lord:

    I am not doubting any of what you are saying. I comend Netscape for inventing SSL. My point was that OpenSSL has so far been the only SSL/TLS solution for Apache, and known to be of high quality. What benefit would there be in my switching to NSS from the widely used OpenSSL module? What advantages are offered to warrant a parade?

    It seems to me that with wider adoption of NSS, we will be flooded with new advisories from security researchers, with administrators having to scramble to update mod_nss on a regular basis.