Re: GnuTLS / OpenSSL certificates compatibilty

[Howard Chu <hyc@symas.com>]

Daniel Savard wrote:
> Le jeudi 09 février 2012 à 23:21 +0100, rey sebastien a écrit :
> > Hi,
> >
> > One or two question about certificate compatibility,
> > I have self signed certificate generated by openSSL, and the official
> > package of openldap in Ubuntu is compilated with gnutls library. Do you
> > think this configuration could create error ?
> >
> > If this is the case, and if i want to maintain the easy deb package
> > upgrade system, do you know a repository with deb version of openldap
> > compiled with openssl library ?
> >
> > Thanks for advice,
> > SR
>
> I've just fix my problem by recompiling openldap without GnuTLS support.
> You are trying to do the exact thing I did. It won't work.
>
> I don't know about Debian and deb packages, I am running another distro.
> But you need an OpenLDAP not linked to GnuTLS.

In general, if a software package is creating certificates that comply to the 
X.509 specs, then it should make no difference what library you use. In 
practice, GnuTLS and OpenSSL don't support the same set of ciphers and hashes, 
so the digital signatures used to create a certificate may not be compatible 
from one to the other. Since OpenSSL has been the de facto standard for 
internet apps since the early 1990s, yes, it's generally a safe bet to just 
stick with it.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/