Hi All,
I'm very interested in this thread. I have two patches I'd like to toss
into the ring as incentive for more discussion on this subject. They
both go the openssl ENGINE + engine_pkcs11 route that Dan has described.
They are generally applicable and are being used to integrate with the
On May 29, 2007, at 11:36 PM, Apache Devel wrote:
I'd like to start a discussion about Hardware Security Module (HSM)
support for
mod_ssl. You may know that OpenSSL supports different HW engines.
There
is also
support for PKCS#11 devices, a standard for communication with crypto
devices -
What was the goal to derivate from mod_ssl ?
Is NSS better than OpenSSL ? If so, why not implementing everything from
mod_ssl with NSS and stick to it ?
Was the goal to provide new features, like OCSP ? If so, why not
implement them in mod_ssl ?
(Btw, a patch to add OCSP is waiting for approval
Dear customer,
Thank you for your message. Due to the extraordinarily large number of
e-mails that we are currently receiving, it might take us up to several
days to reply to your request. We thank you for your patience and understanding,
and will get back to you as soon as possible.
With kind
Marc Stern wrote:
What was the goal to derivate from mod_ssl ?
The goal was to make an Apache SSL module using NSS as the crypto
engine. I saw no point in re-inventing the wheel so used mod_ssl as a
starting point.
Is NSS better than OpenSSL ?
Both serve their purposes, choice is good.
What are the advantages/disadvantages between mod_ssl mod_nss ?
Marc
Marc Stern wrote:
What are the advantages/disadvantages between mod_ssl mod_nss ?
Marc
mod_ssl has the advantage that it is in wide use and has had many
eyeballs on it. It is feature-rich and performs well.
mod_nss is a derivative of the mod_ssl from Apache 2.0.52 (plus a few
updates
Hello,
I'd like to start a discussion about Hardware Security Module (HSM)
support for
mod_ssl. You may know that OpenSSL supports different HW engines. There
is also
support for PKCS#11 devices, a standard for communication with crypto
devices -
e.g. HSMs or Smartcards. Some HSM vendors
That would definitely be a good thing.
More and more servers are using a HSM, and we only can suggest to our
customers who want to do so to use a commercial server like IIS.
Marc
Marc Stern wrote:
That would definitely be a good thing.
More and more servers are using a HSM, and we only can suggest to our
customers who want to do so to use a commercial server like IIS.
Marc
mod_nss uses NSS as the crypto library instead of OpenSSL and supports
PKCS#11 drivers
10 matches
Mail list logo