Difference between pages "Funtoo Profiles" and "Package:OpenSSL"

From Funtoo
(Difference between pages)
Jump to navigation Jump to search
 
 
Line 1: Line 1:
== What is a profile? ==
{{Ebuild
|Summary=Full-strength general purpose cryptography library (including SSL and TLS.)
|CatPkg=dev-libs/openssl
|Homepage=http://www.openssl.org
}}
{{PageNeedsUpdates}}
OpenSSL is a cryptography package used with {{Package|net-misc/openssh}}, web servers, and more.  ftps, https, smtps, imaps, etc use SSL/TLS.  SSL/TLS is used to prevent man in the middle attacks on plain text streams of data.  As this is a security package it is frequently cycled from testing, & bug repairs.
{{note|ssl is old, tls is new.  If you have the option to run tls, run tls rather than ssl}}


In Gentoo and Funtoo Linux, profiles are used to define base system settings, and have historically had a lot of untapped potential. In Funtoo Linux, I wanted to take advantage of some of this potential to allow Funtoo Linux users to easily tailor their system for various types of roles. Enter the new Funtoo profile system.
=== Installation ===
{{console|body=###i## emerge dev-libs/openssl}}


== What It Is ==
=== Usage ===
ssl uses several certificates with differing coverage, and use cases.  Certificates are obtained by 3rd party sites.  go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.


Historically, users have had to add a ton of settings to <tt>/etc/make.conf</tt> to customize their Gentoo or Funtoo Linux system, which made setup of the operating system more difficult than it should be.
The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.


In Gentoo Linux, it is possible to only define one ''system profile''. Think of a system profile as the default settings that Portage uses for building everything on your system.
==== Self Signed Certificates ====
Free:
Self signed certificates are free, self made, quick, easy to setup, and insecure. They are great for lab experiments, and testing out new technologies that you're not familiar with.


In Funtoo Linux, multiple profiles can be enabled at the same time. These include:
==== Free Certificates ====
Free:  (with restrictions)
You can get free certificates from places like StartSSL.com.  The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that.  However, for personal sites, you can't beat the cost.


* '''arch''' - one arch profile is enabled, at build time, and is not changed. This defines CPU architecture-specific settings.
==== Single Domain Certificates ====
* '''build''' - one build profile is enabled, at build time, and is generally not changed. It defines the type of build, such as 'current' or 'stable', and associated settings.
Generally $10/yr:
* '''flavor''' - one flavor is enabled per system, and can be changed by the user. This defines the general use of the system, such as 'minimal', 'core', 'desktop', 'workstation'
Single domain certificates are probably the cheapest ssl certificate you will find on the web. This certificate does not cover subdomains.
* '''mix-in''' - zero or more mix-ins can be enabled that enable settings specific to a particular subset of features, such as 'gnome', 'kde', 'media', 'mate', 'X', 'hardened'


{{Fancynote|1=
==== Unified Communications Certificate ====
See [[Flavors and Mix-ins]] for a complete list of all flavors and mix-ins available in Funtoo Linux, along with descriptions of what each one does.}}
Generally $300/yr
This certificate is meant for small businesses.  This type of certificate will generally cover 20-30 domains, sites, or subdomains.


=== Origins and Benefits ===
==== Wildcard Certificates ====
Generally $300/yr
Wildcard certificates are expensive, however they cover every subdomain name you add.


This new system is really a completion of the original cascading profile design that was designed by Daniel Robbins and implemented by Seemant Kulleen as part of Portage. Funtoo Profiles designed to leverage the existing cascading profile system and provide something much more useable and maintainable for users and developers alike. Here are some of its benefits:
==== Other Misc Certs ====
*domain validated SSL Certificates
*organization validated SSL Certificates
*Extended Validation SSL Certificates


* Fewer settings in /etc/make.conf. <tt>CHOST</tt> and <tt>ARCH</tt> no longer set in <tt>/etc/make.conf</tt>.
=== Using SSL With Nginx or Tengine ===
* Separation of concerns -- arch, build, and flavor-related settings are organized together.
See this page:  [[HOWTO:WebServer_SSL]]
* User flexibility - any number of mix-ins can be enabled to tweak masks or USE settings as needed.


{{fancynote|See [[Custom Profiles]] for information on how to extend the profile system.}}
=== External Resources ===
 
https://wiki.archlinux.org/index.php/OpenSSL
== What It Looks Like ==
{{EbuildFooter}}
Here's a what a list of profiles looks like:
<console>
###i## eselect profile list
Currently available arch profiles:
  [1]  funtoo/1.0/linux-gnu/arch/x86-32bit
  [2]  funtoo/1.0/linux-gnu/arch/x86-64bit
Currently available build profiles:
  [3]  funtoo/1.0/linux-gnu/build/stable
  [4]  funtoo/1.0/linux-gnu/build/current
  [5]  funtoo/1.0/linux-gnu/build/experimental
Currently available flavor profiles:
  [6]  funtoo/1.0/linux-gnu/flavor/minimal
  [7]  funtoo/1.0/linux-gnu/flavor/core
  [8]  funtoo/1.0/linux-gnu/flavor/desktop
  [9]  funtoo/1.0/linux-gnu/flavor/workstation
Currently available mix-ins profiles:
  [10]  funtoo/1.0/linux-gnu/mix-ins/audio
  [11]  funtoo/1.0/linux-gnu/mix-ins/console-extras
  [12]  funtoo/1.0/linux-gnu/mix-ins/dvd
  [13]  funtoo/1.0/linux-gnu/mix-ins/gnome
  [14]  funtoo/1.0/linux-gnu/mix-ins/kde
  [15]  funtoo/1.0/linux-gnu/mix-ins/media
  [16]  funtoo/1.0/linux-gnu/mix-ins/print
  [17]  funtoo/1.0/linux-gnu/mix-ins/python3-only
  [18]  funtoo/1.0/linux-gnu/mix-ins/rhel5-compat
  [19]  funtoo/1.0/linux-gnu/mix-ins/server-db
  [20]  funtoo/1.0/linux-gnu/mix-ins/server-mail
  [21]  funtoo/1.0/linux-gnu/mix-ins/server-web
  [22]  funtoo/1.0/linux-gnu/mix-ins/X
  [23]  funtoo/1.0/linux-gnu/mix-ins/xfce
</console>
As you can see, there are multiple types of profiles to choose from.
Let's move on to how to start using it.
 
== Switch to the Funtoo 1.0 Profile ==
 
=== Using eselect ===
The preferred method of adding and removing profiles is to use [[eselect|eselect profile]]. This ensures that profiles are added correctly and in the proper order. The order is very important for things to work right.
For a list of options, run:
<console>
###i## eselect profile help
</console>
 
As stated by the previous command output, let's see the list of what profiles currently defined the option '''list''':
 
<console>
###i## eselect profile list
Currently available arch profiles:
  [1]  funtoo/1.0/linux-gnu/arch/x86-64bit *
Currently available build profiles:
  [2]  funtoo/1.0/linux-gnu/build/stable
  [3]  funtoo/1.0/linux-gnu/build/current *
  [4]  funtoo/1.0/linux-gnu/build/experimental
Currently available flavor profiles:
  [5]  funtoo/1.0/linux-gnu/flavor/minimal
  [6]  funtoo/1.0/linux-gnu/flavor/core
  [7]  funtoo/1.0/linux-gnu/flavor/desktop *
Currently available mix-ins profiles:
  [8]  funtoo/1.0/linux-gnu/mix-ins/dvd
  [9]  funtoo/1.0/linux-gnu/mix-ins/gnome
  [10]  funtoo/1.0/linux-gnu/mix-ins/kde
  [11]  funtoo/1.0/linux-gnu/mix-ins/media
  [12]  funtoo/1.0/linux-gnu/mix-ins/rhel5-compat
  [13]  funtoo/1.0/linux-gnu/mix-ins/server-db
  [14]  funtoo/1.0/linux-gnu/mix-ins/server-mail
  [15]  funtoo/1.0/linux-gnu/mix-ins/server-web
  [16]  funtoo/1.0/linux-gnu/mix-ins/workstation
  [17]  funtoo/1.0/linux-gnu/mix-ins/workstation-minimal
</console>
 
As in several other Funtoo utilities, a star on the right indicates an active item (your case may differ from the example above). To add, say, the mix-ins '''dvd''', '''kde''' and '''media''' you have to enter:
 
<console>
###i## eselect profile add 8
###i## eselect profile add 10
###i## eselect profile add 11
</console>
 
Or, in a one-shot:
 
<console>
###i## eselect profile add 8 10 11
</console>
 
Verification:
 
<console>
###i## eselect profile list 
Currently available arch profiles:
  [1]  funtoo/1.0/linux-gnu/arch/x86-64bit *
Currently available build profiles:
  [2]  funtoo/1.0/linux-gnu/build/stable
  [3]  funtoo/1.0/linux-gnu/build/current *
  [4]  funtoo/1.0/linux-gnu/build/experimental
Currently available flavor profiles:
  [5]  funtoo/1.0/linux-gnu/flavor/minimal
  [6]  funtoo/1.0/linux-gnu/flavor/core
  [7]  funtoo/1.0/linux-gnu/flavor/desktop *
Currently available mix-ins profiles:
  [8]  funtoo/1.0/linux-gnu/mix-ins/dvd *
  [9]  funtoo/1.0/linux-gnu/mix-ins/gnome
  [10]  funtoo/1.0/linux-gnu/mix-ins/kde *
  [11]  funtoo/1.0/linux-gnu/mix-ins/media *
  [12]  funtoo/1.0/linux-gnu/mix-ins/rhel5-compat
  [13]  funtoo/1.0/linux-gnu/mix-ins/server-db
  [14]  funtoo/1.0/linux-gnu/mix-ins/server-mail
  [15]  funtoo/1.0/linux-gnu/mix-ins/server-web
  [16]  funtoo/1.0/linux-gnu/mix-ins/workstation
  [17]  funtoo/1.0/linux-gnu/mix-ins/workstation-minimal
</console>
 
{{Fancynote| You must use the numbers to reference the profiles bits you want.}}
 
No magic here, what you add is put by portage in the <tt>/etc/portage/make.profile/parent</tt> file. In the present case this file contains:
 
<console>
###i## cat /etc/portage/make.profile/parent
gentoo:funtoo/1.0/linux-gnu/arch/x86-64bit
gentoo:funtoo/1.0/linux-gnu/build/current
gentoo:funtoo/1.0/linux-gnu/flavor/desktop
gentoo:funtoo/1.0/linux-gnu/mix-ins/dvd
gentoo:funtoo/1.0/linux-gnu/mix-ins/gnome
gentoo:funtoo/1.0/linux-gnu/mix-ins/kde
gentoo:funtoo/1.0/linux-gnu/mix-ins/media
</console>
 
== For Developers ==
 
=== Define the profile sub-sets you will use ===
 
So far in Funtoo we have used the exact same profiles as Gentoo thus Funtoo/2008.0 was strictly the same thing as Gentoo/2008.0 or the barely the same 10.0. This (monolithic) profile was set though a symbolic link named '''/etc/make.profile''' pointing on a complex directory architecture located somewhere under '''/usr/portage/profiles'''. This is no longer valid with the Funtoo 1.0 profiles as they are split in several smaller bricks which are then glued together via the  '''/etc/portage/make.profile/parent''' file (You do not need to include everything, just use the "bricks" you need). Those bricks belongs to several categories:
 
1. MANDATORY -- An "arch" profile which defines settings for a particular architecture. You'll want to set this to whatever arch your system is and leave it alone. '''Setting it to a different arch than your system could severely break it.'''
 
2. MANDATORY -- A "build" profile which should match the tree you wish to use. '''Stable''', '''Current''' (~arch), or '''Experimental''' (use it if you are brave enough and find '''current''' too stable).
 
3. MANDATORY -- A "flavor" profile (what was previously known as ''profiles'' is still known as such in Gentoo) which describes the kind of system you want.
* minimal - Be warned, minimal is exactly what it says, the minimal profile stuff you need for a usable system, nothing else. This is really for people who know what they're doing.
* core - This is the core profile. This is for stuff that affects both desktops and servers.
* desktop - Exactly what it says. If you're using a desktop, you should set this as your flavor.
* server - If you're running a server, you should set this as your flavor.
 
4. OPTIONAL -- One or more "mix-ins" profiles which describe optional add-ons. 'mix-ins' are the heart of the Funtoo 1.0 profiles. Unlike the monolithic profiles which sets a massive amount of use flags and options for you, we've split them into logical add-on profiles. For instance if you want support for gnome, you would add the gnome mix-in to your current profiles. That mix-in sets all the proper use flags and such for gnome. Same with others. Want dvd support? Add that one in. Using a rhel5 kernel which requires special versions of packages such as udev? There's a mix-in for that too. Run a mail server? web server? There's mix-ins for those also. Expect this category to grow in the future as new mix-ins are created.
 
The contents of '''/etc/portage/make.profile/parent''' for a basic setup might look like this:
 
<pre>
gentoo:funtoo/1.0/linux-gnu/arch/x86-64bit
gentoo:funtoo/1.0/linux-gnu/build/current
gentoo:funtoo/1.0/linux-gnu/flavor/core
</pre>
 
A more rounded setup for a desktop might look like this:
 
<pre>
gentoo:funtoo/1.0/linux-gnu/arch/x86-64bit
gentoo:funtoo/1.0/linux-gnu/build/current
gentoo:funtoo/1.0/linux-gnu/flavor/desktop
gentoo:funtoo/1.0/linux-gnu/mix-ins/dvd
gentoo:funtoo/1.0/linux-gnu/mix-ins/media
</pre>
 
== Related ==
* [[Flavors and Mix-ins]]
 
[[Category:Funtoo features]]
[[Category:Portage]]
[[Category:Labs]]
[[Category:HOWTO]]
[[Category:Official Documentation]]

Latest revision as of 05:58, July 9, 2015

OpenSSL

   Tip

We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.

OpenSSL is a cryptography package used with net-misc/openssh, web servers, and more. ftps, https, smtps, imaps, etc use SSL/TLS. SSL/TLS is used to prevent man in the middle attacks on plain text streams of data. As this is a security package it is frequently cycled from testing, & bug repairs.

   Note

ssl is old, tls is new. If you have the option to run tls, run tls rather than ssl

Installation

root # emerge dev-libs/openssl

Usage

ssl uses several certificates with differing coverage, and use cases. Certificates are obtained by 3rd party sites. go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.

The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.

Self Signed Certificates

Free: Self signed certificates are free, self made, quick, easy to setup, and insecure. They are great for lab experiments, and testing out new technologies that you're not familiar with.

Free Certificates

Free: (with restrictions) You can get free certificates from places like StartSSL.com. The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that. However, for personal sites, you can't beat the cost.

Single Domain Certificates

Generally $10/yr: Single domain certificates are probably the cheapest ssl certificate you will find on the web. This certificate does not cover subdomains.

Unified Communications Certificate

Generally $300/yr This certificate is meant for small businesses. This type of certificate will generally cover 20-30 domains, sites, or subdomains.

Wildcard Certificates

Generally $300/yr Wildcard certificates are expensive, however they cover every subdomain name you add.

Other Misc Certs

  • domain validated SSL Certificates
  • organization validated SSL Certificates
  • Extended Validation SSL Certificates

Using SSL With Nginx or Tengine

See this page: HOWTO:WebServer_SSL

External Resources

https://wiki.archlinux.org/index.php/OpenSSL


Retrieved from "https://www.funtoo.org/index.php?title=Funtoo_Profiles&oldid=10769"