Hi,
One or two question about certificate compatibility, I have self signed certificate generated by openSSL, and the official package of openldap in Ubuntu is compilated with gnutls library. Do you think this configuration could create error ?
If this is the case, and if i want to maintain the easy deb package upgrade system, do you know a repository with deb version of openldap compiled with openssl library ?
Thanks for advice, SR
Le jeudi 09 février 2012 à 23:21 +0100, rey sebastien a écrit :
Hi,
One or two question about certificate compatibility, I have self signed certificate generated by openSSL, and the official package of openldap in Ubuntu is compilated with gnutls library. Do you think this configuration could create error ?
If this is the case, and if i want to maintain the easy deb package upgrade system, do you know a repository with deb version of openldap compiled with openssl library ?
Thanks for advice, SR
I've just fix my problem by recompiling openldap without GnuTLS support. You are trying to do the exact thing I did. It won't work.
I don't know about Debian and deb packages, I am running another distro. But you need an OpenLDAP not linked to GnuTLS.
Daniel Savard wrote:
Le jeudi 09 février 2012 à 23:21 +0100, rey sebastien a écrit :
Hi,
One or two question about certificate compatibility, I have self signed certificate generated by openSSL, and the official package of openldap in Ubuntu is compilated with gnutls library. Do you think this configuration could create error ?
If this is the case, and if i want to maintain the easy deb package upgrade system, do you know a repository with deb version of openldap compiled with openssl library ?
Thanks for advice, SR
I've just fix my problem by recompiling openldap without GnuTLS support. You are trying to do the exact thing I did. It won't work.
I don't know about Debian and deb packages, I am running another distro. But you need an OpenLDAP not linked to GnuTLS.
In general, if a software package is creating certificates that comply to the X.509 specs, then it should make no difference what library you use. In practice, GnuTLS and OpenSSL don't support the same set of ciphers and hashes, so the digital signatures used to create a certificate may not be compatible from one to the other. Since OpenSSL has been the de facto standard for internet apps since the early 1990s, yes, it's generally a safe bet to just stick with it.
Le jeu. 09 févr. 2012 23:53:25 CET, Daniel Savard a écrit :
Le jeudi 09 février 2012 à 23:21 +0100, rey sebastien a écrit :
Hi,
One or two question about certificate compatibility, I have self signed certificate generated by openSSL, and the official package of openldap in Ubuntu is compilated with gnutls library. Do you think this configuration could create error ?
If this is the case, and if i want to maintain the easy deb package upgrade system, do you know a repository with deb version of openldap compiled with openssl library ?
Thanks for advice, SR
I've just fix my problem by recompiling openldap without GnuTLS support. You are trying to do the exact thing I did. It won't work.
I don't know about Debian and deb packages, I am running another distro. But you need an OpenLDAP not linked to GnuTLS.
Ok, thanks for answer, It's really silly to have an official version with GnuTLS if isn't functionnal :( If i change my certificate for gnuTLS generated certificate (i use self signed certificate..), no need to create a custom OpenLdap with OpenSSL library ?
--On Friday, February 10, 2012 10:18 AM +0100 rey sebastien reyman64@gmail.com wrote:
Ok, thanks for answer, It's really silly to have an official version with GnuTLS if isn't functionnal :(
GnuTLS is fairly buggy, and also has serious known security issues. GnuTLS support was added at Debian's request, because of their issues with the OpenSSL license. That doesn't fix the fact that GnuTLS in and of itself has issues.
If i change my certificate for gnuTLS generated certificate (i use self signed certificate..), no need to create a custom OpenLdap with OpenSSL library ?
It might. I would still suggest you rebuild OpenLDAP so that it is linked to OpenSSL instead of GnuTLS.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Hi,
On Friday, 10. February 2012, rey sebastien wrote:
It's really silly to have an official version with GnuTLS if isn't functionnal :(
This is not what Howard said.
The fact that you have a problem with OpenLDAP comiled with GnuTLS doies not make the package in general. E.g. there's always the potential for mis-configuration.
I use certificates created with an OpenSSL-based tool together with Debian's OpenLDAP without issues for years.
Best Peter
openldap-technical@openldap.org
-
Daniel Savard -
Howard Chu -
Peter Marschall -
Quanah Gibson-Mount -
rey sebastien