diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html --- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.000000000 +0100 +++ ./docs/mod_nss.html 2014-02-18 16:48:18.000000000 +0100 @@ -632,100 +632,135 @@ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 fortezza_null
SSL_FORTEZZA_DMS_WITH_NULL_SHA
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 fips_des_sha
SSL_RSA_FIPS_WITH_DES_CBC_SHA
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 fips_3des_sha
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_des_56_sha TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_rc4_56_sha TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_aes_128_sha
TLS_RSA_WITH_AES_128_CBC_SHA
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_aes_256_sha
TLS_RSA_WITH_AES_256_CBC_SHA
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 + + rsa_aes_128_sha256
+ + TLS_RSA_WITH_AES_128_CBC_SHA256
+ + TLSv1.2 + + + rsa_aes_128_gcm_sha
+ + TLS_RSA_WITH_AES_128_GCM_SHA256
+ + TLSv1.2 + + + rsa_camellia_128_sha
+ + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+ + TLSv1.0/TLSv1.1/TLSv1.2 + + + rsa_camellia_256_sha
+ + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ + TLSv1.0/TLSv1.1/TLSv1.2 + + + rsa_aes_256_sha256
+ + TLS_RSA_WITH_AES_256_CBC_SHA256
+ + TLSv1.2 +
Additionally there are a number of ECC ciphers:

@@ -773,100 +794,130 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cipher Name
NSS Cipher Definition
Protocol
ecdh_ecdsa_null_sha TLS_ECDH_ECDSA_WITH_NULL_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdh_ecdsa_rc4_128_sha TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdh_ecdsa_3des_sha TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdh_ecdsa_aes_128_sha TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdh_ecdsa_aes_256_sha TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdhe_ecdsa_null_sha TLS_ECDHE_ECDSA_WITH_NULL_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdhe_ecdsa_rc4_128_sha TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLSv1.0/TLSv1.1/TLSv1.2
echde_rsa_null TLS_ECDHE_RSA_WITH_NULL_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdhe_rsa_rc4_128_sha TLS_ECDHE_RSA_WITH_RC4_128_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdhe_rsa_3des_sha TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdhe_rsa_aes_128_sha TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdhe_rsa_aes_256_sha TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdh_anon_null_sha TLS_ECDH_anon_WITH_NULL_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdh_anon_rc4_128sha TLS_ECDH_anon_WITH_RC4_128_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdh_anon_3des_sha TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdh_anon_aes_128_sha TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdh_anon_aes_256_sha TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLSv1.0/TLSv1.1/TLSv1.2
ecdh_ecdsa_aes_128_sha256TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256TLSv1.2
ecdh_rsa_aes_128_sha256TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256TLSv1.2
ecdh_ecdsa_aes_128_gcm_shaTLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256TLSv1.0/TLSv1.1/TLSv1.2
ecdhe_ecdsa_aes_128_gcm_shaTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLSv1.0/TLSv1.1/TLSv1.2
ecdh_rsa_aes_128_gcm_shaTLS_ECDH_RSA_WITH_AES_128_GCM_SHA256TLSv1.0/TLSv1.1/TLSv1.2
ecdhe_rsa_aes_128_gcm_shaTLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLSv1.0/TLSv1.1/TLSv1.2

Example

NSSCipherSuite +rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,
-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,
+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha


NSSProtocol

A comma-separated string that lists the basic protocols that the server can use (and clients may connect with). It doesn't enable a cipher specifically but allows ciphers for that protocol to be used at all.

Options are:
Note that this differs from mod_ssl in that you can't add or subtract protocols.

If no NSSProtocol is specified, mod_nss will default to allowing the use of the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol allowed.
If values for NSSProtocol are specified, mod_nss will set both the minimum and the maximum allowed protocols based upon these entries allowing for the inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2 are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes protocol ranges to accept all protocols inclusively (TLS 1.2 ->TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols in the middle of a range (e. g. - TLS 1.0).

Finally, NSS will always automatically negotiate the use of the strongest possible protocol that has been specified which is acceptable to both sides of a given connection.
SSLv2 is not supported by default at this time.

Example

NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2