If you care about the upmost security, you should probably be using the LibreSSL TLS crypto stack.
This is an SSL library forked from OpenSSL by the OpenBSD team around 2014 with improving the codebase, improving security, and applying the best development practices.
This guide focuses on Gentoo GNU/Linux, as it needs a few more steps to get working than other distros.
You will need Gentoo installed on your computer obvoiously, and some patience, espesially if you have a bunch of applications installed.
Keep in mind if you have a bunch of packages, be prepared to recompile, and debug any of them along the way if they fail to work or compile.
Adding the overlay
First thing you will NEED TO DO is add the LibreSSL ebuild overlay to your system.
This supplies the LibreSSL ebuild itself and patches for other applications to get working under LibreSSL. Please do the following in a terminal:
emerge eselect-repository eselect repository enable libressl emaint sync -r libressl
After doing this, you should have the overlay synced and installed, you can check this by running
If files appear, you have it installed.
You will have to set some flags in your make.conf for specific apps to use LibreSSL instaid of OpenSSL.
In your make.conf please find the USE="" paramater and put in the following:
For apps with these USE flags, they will ignore specific OpenSSL support. system-ssl is known to cause problems for nodejs users, so I reccomend disabiling it here.
Another thing that the migration does is installs and OpenSSL dummy package. Due to gentoo removing LibreSSL from their overlay.
This package is needed for packages to build correctly, dont worry, they still bind to LibreSSL.
To be sure this dummy package is the only one allowed to be merged, please open this file in a text editor
If this is a directory, not a file, then do
And insert the following
# OpenSSL mask dev-libs/openssl::gentoo # OpenSSL package mask app-crypt/qca::gentoo dev-lang/python::gentoo
This will mask OpenSSL from being merged, and cause the other packages listed to only build from the LibreSSL overlay.
Time for the big thing, we are going to migrate from OpenSSL to Libressl. The first part is removing OpenSSL from your system, and fetcing needed packages for the migration. please run:
emerge -f wget curl python libressl emerge -Cq dev-libs/openssl
After doing this, please merge LibreSSL, this will take a minute so please be patient.
emerge -1q dev-libs/libressl::libressl
You’re almost done! To test that you are actually using LibreSSL, you can run somthing like
and if it returns somthing like
you’re using LibreSSL.
Time to update and rebind everything to use LibreSSL, you may have noticed emerge will complain about libraries needing to be rebuilt, this will fix that. Please run:
emerge -vquDN @world emerge @preserved-rebuild
And if everything compiles fine, congratulations! You are now using a LibreSSL based Gentoo system. I hope you enjoyed this guide. -itZzenXX