NSS FAQ

Newsgroup: mozilla.dev.tech.crypto


General Questions

Developer Questions Licensing Questions


General Questions

What is Network Security Services (NSS)?

NSS is set of libraries, APIs, utilities, and documentation designed to support cross-platform development of security-enabled client and server applications. It provides a complete open-source implementation of the crypto libraries used by Netscape and other companies in the Netscape 6 browser, server products from iPlanet E-Commerce Solutions, the Gateway Connected Touch Pad with Instant AOL, and other products.

For an overview of NSS, see Overview of NSS. For detailed information on the open-source NSS project, see NSS Project Page.

What can I do with NSS? Is NSS appropriate for my application?

If you want add support for SSL, S/MIME, or other Internet security standards to your application, you can use Network Security Services (NSS) to do so. Because NSS provides complete support for all versions of SSL and TLS, it is particularly well-suited for applications that need to communicate with the many clients and servers that already support the SSL protocol.

The PKCS #11 interface included in NSS means that your application can use hardware accelerators on the server and smart cards for two-factor authentication.

How does NSS compare to OpenSSL?

OpenSSL is an open source project that implements server-side SSL, TLS, and a general-purpose cryptography library. It does not support PKCS #11. It is based on the SSLeay library developed by Eric A. Young and Tim J. Hudson. OpenSSL is widely used in Apache servers and is licensed under an Apache-style licence.

NSS supports both server and client applications as well as PKCS #11 and S/MIME. To permit its use in as many contexts as possible, NSS is triple-licensed under the Mozilla Public License, the GNU General Public License, and the GNU Lesser General Public License. You may choose to use the code either under the terms of the MPL or the GPL or the LGPL.

How does NSS compare to SSLRef?

SSLRef was an early reference implementation of the SSL protocol. It contains bugs that were never fixed, doesn't support TLS or or the new 56-bit export cipher suites, and does not contain the fix to the Bleichenbacher attack on PKCS#1.

Netscape no longer maintains SSLRef or makes it available. It was built as an example of an SSL implementation, not for creating production applications.

NSS was designed from the ground up for use by commercial developers. It provides a complete software development kit that uses the same architecture used to support security features in many client and server products from Netscape and other companies.

What platforms and development environments are supported?

iPlanet E-Commerce Solutions has certified NSS 3.1 on 18 platforms, including AIX 4.3, HP-UX 11.0, Red Hat Linux 6.0, Solaris (2.6 or later), Windows NT (4.0 or later), and Windows 2000. Other contributors are in the process of certifying additional platforms. The NSS 3.1 API requires C or C++ development environments.

For the latest NSS release notes and detailed platform information, see NSS 3.1 Release Notes.

What cryptography standards does NSS support?

NSS supports SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, and X.509 v3 certificates. For complete details, see Encryption Technologies.

What is the relationship between NSS and PSM?

Personal Security Manager (PSM) is built on top of NSS. It consists of libraries and a daemon designed to support cross-platform development of security-enabled client applications. The PSM binary provides a client module that performs cryptographic operations on behalf of applications. Netscape Personal Security Manager ships with Netscape 6 and the Gateway Connected Touch Pad with Instant AOL, and is also available for use with Communicagotr 4.7x.

For more information about the PSM open-source project, see Personal Security Manager.

Where can I get the source code?

For instructions on how to check out and build the NSS 3.1 source code, see Build Instructions for NSS 3.1. The source code may also be downloaded as a tar file from ftp://ftp.mozilla.org/pub/mozilla.org/security/.

How much does it cost?

NSS source code and binaries (when they become available) are completely free. No license fees, no royalty fees, no subscription fees.


Developer Questions

What hardware accelerators are supported?

NSS supports the PKCS #11 interface for hardware acceleration. Since leading accelerator vendors such as Chrysalis-IT, nCipher, and Rainbow Technologies also support this interface, NSS-enabled applications can support a wide variety of hardware accelerators.

How do I integrate smart cards into my application using NSS?

NSS supports the PKCS #11 interface for smart card integration. Applications that use the PKCS #11 interface provided by NSS will therefore support smart cards from leading vendors such as ActiveCard, Litronic, and SecureID Technologies that also support the PKCS #11 interface.

How is NSS compatible with other Netscape products?

NSS provides tight integration with other Netscape products in two ways. First, by using NSS to implement SSL and TLS, you can support SSL communications with all products from Netscape and all other vendors that support SSL and TLS. Second, NSS makes it easy to share certificates between Netscape client and server products and your application.

Does NSS require Netscape Portable Runtime (NSPR)?

To provide cross-platform support, NSS utilizes Netscape Portable Runtime (NSPR) libraries as a portability interface and implementation that provides consistent cross-platform semantics for network I/O and threading models. You can use NSPR throughout your application or only in the portion that calls into NSS. Netscape strongly recommends that multithreaded applications use the NSPR or native OS threading model. (In recent NSPR releases, the NSPR threading model is compatible with the native threading model if the OS has native threads.) Alternatively, you can adapt the open-source NSPR implementation to be compatible with your existing application's threading models. More information about NSPR may be found at Netscape Portable Runtime.

Can I use NSS even if my application protocol isn't HTTP?

Yes, SSL independent of application protocols. It works with common Internet standard application protocols (HTTP, POP3, FTP, SMTP, etc.) as well as custom application protocols using TCP/IP.

How long does it take to integrate NSS into my application?

The integration effort depends on an number of factors, such as developer skill set, application complexity, and the level of security required for your application. NSS includes detailed documentation of the SSL API and sample code that demonstrates basic SSL functionality (setting up an encrypted session, server authentication, and client authentication) to help jump start the integration process. However, there is little or no documentation currently available for the rest of the NSS API. If your application requires sophisticated certificate management, smart card support, or hardware acceleration, your integration effort will be more extensive.

Where can I download the NSS tools?

Currently, you must download the NSS source and build it to create binary files for the NSS tools. For more information, see NSS Tools.

How can I learn more about SSL?

NSS provides extensive documentation related to SSL, including high-level introductions, detailed API documentation, sample code for simple client and server applications, the original SSL 3.0 specification, and information on debugging SSL applications. For details, see the SSL/TLS Project Page. For information about the NSS tools, including those used for debugging SSL applications, see NSS Security Tools.


Licensing Questions

How is NSS licensed?

NSS is triple-licensed under the Mozilla Public License, the GNU General Public License, and the GNU Lesser General Public License. For more details, see the Mozilla Crypto FAQ.

Is NSS available outside the United States?

Yes; see Build Instructions for NSS 3.1. and ftp://ftp.mozilla.org/pub/mozilla.org/security/. However, NSS source code is subject to the U.S. Export Administration Regulations and other U.S. law, and may not be exported or re-exported to certain countries (currently Cuba, Iran, Libya, North Korea, Sudan and Syria) or to persons or entities prohibited from receiving U.S. exports (including those (a) on the Bureau of Industry and Security Denied Parties List or Entity List, (b) on the Office of Foreign Assets Control list of Specially Designated Nationals and Blocked Persons, and (c) involved with missile technology or nuclear, chemical or biological weapons).

For more information about U.S. export controls on encryption software, see the Mozilla Crypto FAQ.