Difference between pages "Portage Profile Logic" and "Package:OpenSSL"

(Difference between pages)
 
 
Line 1: Line 1:
== Gentoo Initialization ==
+
{{Ebuild
 +
|Summary=Full-strength general purpose cryptography library (including SSL and TLS.)
 +
|CatPkg=dev-libs/openssl
 +
|Homepage=http://www.openssl.org
 +
}}
 +
{{PageNeedsUpdates}}
 +
OpenSSL is a cryptography package used with {{Package|net-misc/openssh}}, web servers, and more.  ftps, https, smtps, imaps, etc use SSL/TLS.  SSL/TLS is used to prevent man in the middle attacks on plain text streams of data.  As this is a security package it is frequently cycled from testing, & bug repairs.
 +
{{note|ssl is old, tls is new.  If you have the option to run tls, run tls rather than ssl}}
  
Gentoo profile initialization has been documented in [https://github.com/funtoo/portage-funtoo/commit/4c6826a0029c3c8f0aa92e70b4e50f2ffc58c7fa#diff-0 this GitHub commit], and describes how Gentoo's Portage finds and processes profiles. Basically, Gentoo's Portage looks for profiles using this algorithm:
+
=== Installation ===
 +
{{console|body=###i## emerge dev-libs/openssl}}
  
# Does <tt>/etc/make.profile</tt> exist? If so, it defines the primary profile.
+
=== Usage ===
# If not, does <tt>/etc/portage/make.profile</tt> exist? If so, it defines the primary profile.
+
ssl uses several certificates with differing coverage, and use cases. Certificates are obtained by 3rd party sites. go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.
# Recursively process the <tt>parent</tt> file found in the primary profile to build a list of all cascading profiles
+
# if <tt>/etc/portage/profile</tt> exists, it is a user-defined profile - tack it to the end of our profile list so it can modify anything in the cascading profiles.
+
  
Here is a more detailed description of the steps:
+
The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.
  
# Look for a profile directory/symlink at <tt>/etc/make.profile</tt>, if one exists, use this as the main profile directory.
+
==== Self Signed Certificates ====
# If <tt>/etc/make.profile</tt> doesn't exist, use <tt>/etc/portage/make.profile</tt> as a back-up location if it exists.
+
Free:
# If neither location exists, then a main profile directory doesn't exist and is undefined (None)
+
Self signed certificates are free, self made, quick, easy to setup, and insecure. They are great for lab experiments, and testing out new technologies that you're not familiar with.
  
Using the main profile directory/symlink found above, the <tt>LocationsManager._addProfile()</tt> recursive function will be called that will create a list of all cascading profiles. This works by looking for a <tt>parent</tt> file in the profile directory. If this file exists, then each line is treated as a ''relative path'' and used to modify the path to the current profile, pointing to a "parent" profile that this particular profile modifies. There can be more than one parent, one per line. ''The first line in the <tt>parent</tt> file is the highest-priority parent.''
+
==== Free Certificates ====
 +
Free:  (with restrictions)
 +
You can get free certificates from places like StartSSL.com.  The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that. However, for personal sites, you can't beat the cost.
  
Once this list is created, the code checks to see if <tt>/etc/portage/profile</tt> directory exists. If it does, it is tacked at the end of the cascading profile list, meaning that it is evaluated last and this user-defined profile has the ability to modify any of the cascading profile settings. It provides an ideal hook point for a user-defined profile that can tweak anything the user wants to modify in the profile.
+
==== Single Domain Certificates ====
 +
Generally $10/yr:
 +
Single domain certificates are probably the cheapest ssl certificate you will find on the web. This certificate does not cover subdomains.
  
[[Category:Portage]]
+
==== Unified Communications Certificate ====
 +
Generally $300/yr
 +
This certificate is meant for small businesses.  This type of certificate will generally cover 20-30 domains, sites, or subdomains.
 +
 
 +
==== Wildcard Certificates ====
 +
Generally $300/yr
 +
Wildcard certificates are expensive, however they cover every subdomain name you add.
 +
 
 +
==== Other Misc Certs ====
 +
*domain validated SSL Certificates
 +
*organization validated SSL Certificates
 +
*Extended Validation SSL Certificates
 +
 
 +
=== Using SSL With Nginx or Tengine ===
 +
See this page:  [[HOWTO:WebServer_SSL]]
 +
 
 +
=== External Resources ===
 +
https://wiki.archlinux.org/index.php/OpenSSL
 +
{{EbuildFooter}}

Latest revision as of 05:58, July 9, 2015

dev-libs/openssl


Source Repository:Repository:Funtoo Overlay

http://www.openssl.org

Summary: Full-strength general purpose cryptography library (including SSL and TLS.)

Use Flags

bindist
Disable EC/RC5 algorithms (as they seem to be patented)
ec_nistp_64_gcc_128
Enable 64-bit optimized implementations of elliptic curves NIST-P224, NIST-P256 and NIST-P521
rfc3779
Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)

News

Drobbins

IP Space Migration Continues

All Funtoo user containers in the 8.28 IP space will be moving into our new IP space (172.97) over the next few days. If you have DNS set up -- be sure to watch your container and update to the new IP! container.host.funtoo.org DNS will be updated after the move.
2015-08-27 by Drobbins
Drobbins

Funtoo Hosting IP Move

Funtoo user containers with IPs in the 72.18.x.x range will be gradually migrating to new IP addresses this week. If you have DNS entries for your containers, please be aware that your DNS will need to be updated.
2015-08-11 by Drobbins
Drobbins

New ARM Stages

New ARM Stages, built with a new toolchain, are now hitting mirrors. Existing ARM users should re-install using these stages (dated Aug 3, 2015 or later,) rather than upgrade using emerge.
2015-08-06 by Drobbins
More...

OpenSSL

Tip

We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.

OpenSSL is a cryptography package used with Package:OpenSSH, web servers, and more. ftps, https, smtps, imaps, etc use SSL/TLS. SSL/TLS is used to prevent man in the middle attacks on plain text streams of data. As this is a security package it is frequently cycled from testing, & bug repairs.

Note

ssl is old, tls is new. If you have the option to run tls, run tls rather than ssl

Installation

# emerge dev-libs/openssl


Usage

ssl uses several certificates with differing coverage, and use cases. Certificates are obtained by 3rd party sites. go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.

The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.

Self Signed Certificates

Free: Self signed certificates are free, self made, quick, easy to setup, and insecure. They are great for lab experiments, and testing out new technologies that you're not familiar with.

Free Certificates

Free: (with restrictions) You can get free certificates from places like StartSSL.com. The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that. However, for personal sites, you can't beat the cost.

Single Domain Certificates

Generally $10/yr: Single domain certificates are probably the cheapest ssl certificate you will find on the web. This certificate does not cover subdomains.

Unified Communications Certificate

Generally $300/yr This certificate is meant for small businesses. This type of certificate will generally cover 20-30 domains, sites, or subdomains.

Wildcard Certificates

Generally $300/yr Wildcard certificates are expensive, however they cover every subdomain name you add.

Other Misc Certs

  • domain validated SSL Certificates
  • organization validated SSL Certificates
  • Extended Validation SSL Certificates

Using SSL With Nginx or Tengine

See this page: HOWTO:WebServer_SSL

External Resources

https://wiki.archlinux.org/index.php/OpenSSL