# # For a description of the syntax of this configuration file, # see scripts/config/Kconfig-language.txt # menu "SSL Library" choice prompt "Mode" default CONFIG_SSL_FULL_MODE config CONFIG_SSL_SERVER_ONLY bool "Server only - no verification" help Enable server functionality (no client functionality). This mode still supports sessions and chaining (which can be turned off in configuration). The axssl sample runs with the minimum of features. This is the most space efficient of the modes with the library about 45kB in size. Use this mode if you are doing standard SSL server work. config CONFIG_SSL_CERT_VERIFICATION bool "Server only - with verification" help Enable server functionality with client authentication (no client functionality). The axssl sample runs with the "-verify" and "-CAfile" options. This mode produces a library about 49kB in size. Use this mode if you have an SSL server which requires client authentication (which is uncommon in browser applications). config CONFIG_SSL_ENABLE_CLIENT bool "Client/Server enabled" help Enable client/server functionality (including peer authentication). The axssl sample runs with the "s_client" option enabled. This mode produces a library about 51kB in size. Use this mode if you require axTLS to use SSL client functionality (the SSL server code is always enabled). config CONFIG_SSL_FULL_MODE bool "Client/Server enabled with diagnostics" help Enable client/server functionality including diagnostics. Most of the extra size in this mode is due to the storage of various strings that are used. The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa" This mode produces a library about 58kB in size. It is suggested that this mode is used only during development, or systems that have more generous memory limits. It is the default to demonstrate the features of axTLS. config CONFIG_SSL_SKELETON_MODE bool "Skeleton mode - the smallest server mode" help This is an experiment to build the smallest library at the expense of features and speed. * Server mode only. * The AES cipher is disabled. * No session resumption. * No external keys/certificates are supported. * The bigint library has most of the performance features disabled. * Some other features/API calls may not work. This mode produces a library about 37kB in size. The main disadvantage of this mode is speed - it will be much slower than the other build modes. endchoice choice prompt "Protocol Preference" depends on !CONFIG_SSL_SKELETON_MODE default CONFIG_SSL_PROT_MEDIUM config CONFIG_SSL_PROT_LOW bool "Low" help Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA. This will use the fastest cipher(s) but at the expense of security. config CONFIG_SSL_PROT_MEDIUM bool "Medium" help Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA. This mode is a balance between speed and security and is the default. config CONFIG_SSL_PROT_HIGH bool "High" help Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA. This will use the strongest cipher(s) at the cost of speed. endchoice config CONFIG_SSL_USE_DEFAULT_KEY bool "Enable default key" depends on !CONFIG_SSL_SKELETON_MODE default y help Some applications will not require the default private key/certificate that is built in. This is one way to save on a couple of kB's if an external private key/certificate is used. The private key is in ssl/private_key.h and the certificate is in ssl/cert.h. The advantage of a built-in private key/certificate is that no file system is required for access. Both the certificate and the private key will be automatically loaded on a ssl_ctx_new(). However this private key/certificate can never be changed (without a code update). This mode is enabled by default. Disable this mode if the built-in key/certificate is not used. config CONFIG_SSL_PRIVATE_KEY_LOCATION string "Private key file location" depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE help The file location of the private key which will be automatically loaded on a ssl_ctx_new(). config CONFIG_SSL_PRIVATE_KEY_PASSWORD string "Private key password" depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM help The password required to decrypt a PEM-encoded password file. config CONFIG_SSL_X509_CERT_LOCATION string "X.509 certificate file location" depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE help The file location of the X.509 certificate which will be automatically loaded on a ssl_ctx_new(). config CONFIG_SSL_GENERATE_X509_CERT bool "Generate X.509 Certificate" default n help An X.509 certificate can be automatically generated on a ssl_ctx_new(). A private key still needs to be provided (the private key in ss/private_key.h will be used unless CONFIG_SSL_PRIVATE_KEY_LOCATION is set). The certificate is generated on the fly, and so a minor start-up time penalty is to be expected. This feature adds around 5kB to the library. This feature is disabled by default. config CONFIG_SSL_X509_COMMON_NAME string "X.509 Common Name" depends on CONFIG_SSL_GENERATE_X509_CERT help The common name for the X.509 certificate. This should be the fully qualified domain name (FQDN), e.g. www.foo.com. If this is blank, then this will be value from gethostname() and getdomainname(). config CONFIG_SSL_X509_ORGANIZATION_NAME string "X.509 Organization Name" depends on CONFIG_SSL_GENERATE_X509_CERT help The organization name for the generated X.509 certificate. This field is optional. config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME string "X.509 Organization Unit Name" depends on CONFIG_SSL_GENERATE_X509_CERT help The organization unit name for the generated X.509 certificate. This field is optional. config CONFIG_SSL_ENABLE_V23_HANDSHAKE bool "Enable v23 Handshake" default y help Some browsers use the v23 handshake client hello message (an SSL2 format message which all SSL servers can understand). It may be used if SSL2 is enabled in the browser. Since this feature takes a kB or so, this feature may be disabled - at the risk of making it incompatible with some browsers (IE6 is ok, Firefox 1.5 and below use it). Disable if backwards compatibility is not an issue (i.e. the client is always using TLS1.0) config CONFIG_SSL_HAS_PEM bool "Enable PEM" default n if !CONFIG_SSL_FULL_MODE default y if CONFIG_SSL_FULL_MODE depends on !CONFIG_SSL_SKELETON_MODE help Enable the use of PEM format for certificates and private keys. PEM is not normally needed - PEM files can be converted into DER files quite easily. However they have the convenience of allowing multiple certificates/keys in the same file. This feature will add a couple of kB to the library. Disable if PEM is not used (which will be in most cases). config CONFIG_SSL_USE_PKCS12 bool "Use PKCS8/PKCS12" default n if !CONFIG_SSL_FULL_MODE default y if CONFIG_SSL_FULL_MODE depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE help PKCS#12 certificates combine private keys and certificates together in one file. PKCS#8 private keys are also suppported (as it is a subset of PKCS#12). The decryption of these certificates uses RC4-128 (and these certificates must be encrypted using this cipher). The actual algorithm is "PBE-SHA1-RC4-128". Disable if PKCS#12 is not used (which will be in most cases). config CONFIG_SSL_EXPIRY_TIME int "Session expiry time (in hours)" depends on !CONFIG_SSL_SKELETON_MODE default 24 help The time (in hours) before a session expires. A longer time means that the expensive parts of a handshake don't need to be run when a client reconnects later. The default is 1 day. config CONFIG_X509_MAX_CA_CERTS int "Maximum number of certificate authorites" default 4 depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE help Determines the number of CA's allowed. Increase this figure if more trusted sites are allowed. Each certificate adds about 300 bytes (when added). The default is to allow four certification authorities. config CONFIG_SSL_MAX_CERTS int "Maximum number of chained certificates" default 2 help Determines the number of certificates used in a certificate chain. The chain length must be at least 1. Increase this figure if more certificates are to be added to the chain. Each certificate adds about 300 bytes (when added). The default is to allow one certificate + 1 certificate in the chain (which may be the certificate authority certificate). config CONFIG_SSL_CTX_MUTEXING bool "Enable SSL_CTX mutexing" default n help Normally mutexing is not required - each SSL_CTX object can deal with many SSL objects (as long as each SSL_CTX object is using a single thread). If the SSL_CTX object is not thread safe e.g. the case where a new thread is created for each SSL object, then mutexing is required. Select y when a mutex on the SSL_CTX object is required. config CONFIG_USE_DEV_URANDOM bool "Use /dev/urandom" default y depends on !CONFIG_PLATFORM_WIN32 help Use /dev/urandom. Otherwise a custom RNG is used. This will be the default on most Linux systems. config CONFIG_WIN32_USE_CRYPTO_LIB bool "Use Win32 Crypto Library" depends on CONFIG_PLATFORM_WIN32 help Microsoft produce a Crypto API which requires the Platform SDK to be installed. It's used for the RNG. This will be the default on most Win32 systems. config CONFIG_OPENSSL_COMPATIBLE bool "Enable openssl API compatibility" default n help To ease the porting of openssl applications, a subset of the openssl API is wrapped around the axTLS API. Note: not all the API is implemented, so parts may still break. And it's definitely not 100% compatible. config CONFIG_PERFORMANCE_TESTING bool "Build the bigint performance test tool" default n help Used for performance testing of bigint. This is a testing tool and is normally disabled. config CONFIG_SSL_TEST bool "Build the SSL testing tool" default n depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT help Used for sanity checking the SSL handshaking. This is a testing tool and is normally disabled. endmenu