What is the difference between mod_nss and mod_ssl?

Solution 1:

mod_ssl uses the OpenSSL library to implement TLS; mod_nss uses the NSS library instead. They are mutually exclusive.

mod_nss is rarely used. In fact, NSS is hardly used anywhere other than the Mozilla applications it originated with (like Firefox and Thunderbird, nowadays).

Unless you have very specific and unusual requirements which force the use of mod_nss, there is no reason to use it.

Solution 2:

They're workalikes, with similar configuration and almost identical capabilities. Use whichever one works best for you.

As duskwuff says, mod_ssl is much more widely used, so you'll find more help and it might be easier for others to understand your configuration.

Personally I like the way mod_nss manages certificates better. It keeps them in a database file, and uses certutil and pk12util to manage them. certutil can easily show you a certificate chain and validate it from the certificates in your database, so you know whether the chain is valid before you start the service. Openssl still doesn't have any easy way to do that.