>NSS vs OPENSSL

By | June 12, 2013

>

We have more than one options for implementation of TLS, SSL and PKCS in Linux. Network Security Services(NSS) and OpenSSL are two common options available in Linux.

NSS provides a complete open source implementation of cryptographic libraries. NSS is available both under the Mozilla Public License and GPL . NSS is used by many application and specially by products of Netscape. NSS support TLS, SSL and PKCS including PKCS#11. 

OpenSSL is “dual licensed” under the OpenSSL License and the SSLeay License. OpenSSL License is Apache License. OpenSSL is default crypto library for many applications. 

In our Linux environment, We have choice to use either OpenSSL or NSS. In our setup , for web sites on Apache web server normally we use OpenSSL generated certificates and for this we load module mod_ssl in Apache. If you are interested in using NSS in Apache should go with module mod_nss instead of mod_ssl.

This becomes obvious that in Linux, packages/binaries use either OpenSSL or NSS or any other crypto library. To know about any individual package or binary, you can use ldd command, like to get list of libraries for sshd 

root# ldd /usr/sbin/sshd

For managing openssl certificates we use openssl command with different options but for NSS certificates and other management use  certutil command.

While discussing NSS, I can remember concept of “shared database”. The concept of shared database will facilitate to use keys and certs by multiple applications. Imagine a situation where SSL certificate working for a web site also used for accessing server via SSH. Fedora is already moving in direction of consolidation  of cryto libraries  and consolidating for NSS https://fedoraproject.org/wiki/FedoraCryptoConsolidationI will discuss more on this in coming posts. 

Share itShare on FacebookEmail this to someoneTweet about this on TwitterShare on Google+Share on LinkedInPrint this page

Leave a Reply

Your email address will not be published. Required fields are marked *

Current month ye@r day *