--- /dev/null
+#
+# For a description of the syntax of this configuration file,
+# see scripts/config/Kconfig-language.txt
+#
+
+menu "SSL Library"
+
+choice
+ prompt "Mode"
+ default CONFIG_SSL_FULL_MODE
+
+config CONFIG_SSL_SERVER_ONLY
+ bool "Server only - no verification"
+ help
+ Enable server functionality (no client functionality).
+ This mode still supports sessions and chaining (which can be turned
+ off in configuration).
+
+ The axssl sample runs with the minimum of features.
+
+ This is the most space efficient of the modes with the library
+ about 45kB in size. Use this mode if you are doing standard SSL server
+ work.
+
+config CONFIG_SSL_CERT_VERIFICATION
+ bool "Server only - with verification"
+ help
+ Enable server functionality with client authentication (no client
+ functionality).
+
+ The axssl sample runs with the "-verify" and "-CAfile" options.
+
+ This mode produces a library about 49kB in size. Use this mode if you
+ have an SSL server which requires client authentication (which is
+ uncommon in browser applications).
+
+config CONFIG_SSL_ENABLE_CLIENT
+ bool "Client/Server enabled"
+ help
+ Enable client/server functionality (including peer authentication).
+
+ The axssl sample runs with the "s_client" option enabled.
+
+ This mode produces a library about 51kB in size. Use this mode if you
+ require axTLS to use SSL client functionality (the SSL server code
+ is always enabled).
+
+config CONFIG_SSL_FULL_MODE
+ bool "Client/Server enabled with diagnostics"
+ help
+ Enable client/server functionality including diagnostics. Most of the
+ extra size in this mode is due to the storage of various strings that
+ are used.
+
+ The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa"
+
+ This mode produces a library about 58kB in size. It is suggested that
+ this mode is used only during development, or systems that have more
+ generous memory limits.
+
+ It is the default to demonstrate the features of axTLS.
+
+config CONFIG_SSL_SKELETON_MODE
+ bool "Skeleton mode - the smallest server mode"
+ help
+ This is an experiment to build the smallest library at the expense of
+ features and speed.
+
+ * Server mode only.
+ * The AES cipher is disabled.
+ * No session resumption.
+ * No external keys/certificates are supported.
+ * The bigint library has most of the performance features disabled.
+ * Some other features/API calls may not work.
+
+ This mode produces a library about 37kB in size. The main
+ disadvantage of this mode is speed - it will be much slower than the
+ other build modes.
+
+endchoice
+
+choice
+ prompt "Protocol Preference"
+ depends on !CONFIG_SSL_SKELETON_MODE
+ default CONFIG_SSL_PROT_MEDIUM
+
+config CONFIG_SSL_PROT_LOW
+ bool "Low"
+ help
+ Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA.
+
+ This will use the fastest cipher(s) but at the expense of security.
+
+config CONFIG_SSL_PROT_MEDIUM
+ bool "Medium"
+ help
+ Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA.
+
+ This mode is a balance between speed and security and is the default.
+
+config CONFIG_SSL_PROT_HIGH
+ bool "High"
+ help
+ Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA.
+
+ This will use the strongest cipher(s) at the cost of speed.
+
+endchoice
+
+config CONFIG_SSL_USE_DEFAULT_KEY
+ bool "Enable default key"
+ depends on !CONFIG_SSL_SKELETON_MODE
+ default y
+ help
+ Some applications will not require the default private key/certificate
+ that is built in. This is one way to save on a couple of kB's if an
+ external private key/certificate is used.
+
+ The private key is in ssl/private_key.h and the certificate is in
+ ssl/cert.h.
+
+ The advantage of a built-in private key/certificate is that no file
+ system is required for access. Both the certificate and the private
+ key will be automatically loaded on a ssl_ctx_new().
+
+ However this private key/certificate can never be changed (without a
+ code update).
+
+ This mode is enabled by default. Disable this mode if the
+ built-in key/certificate is not used.
+
+config CONFIG_SSL_PRIVATE_KEY_LOCATION
+ string "Private key file location"
+ depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
+ help
+ The file location of the private key which will be automatically
+ loaded on a ssl_ctx_new().
+
+config CONFIG_SSL_PRIVATE_KEY_PASSWORD
+ string "Private key password"
+ depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM
+ help
+ The password required to decrypt a PEM-encoded password file.
+
+config CONFIG_SSL_X509_CERT_LOCATION
+ string "X.509 certificate file location"
+ depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
+ help
+ The file location of the X.509 certificate which will be automatically
+ loaded on a ssl_ctx_new().
+
+config CONFIG_SSL_GENERATE_X509_CERT
+ bool "Generate X.509 Certificate"
+ default n
+ help
+ An X.509 certificate can be automatically generated on a
+ ssl_ctx_new(). A private key still needs to be provided (the private
+ key in ss/private_key.h will be used unless
+ CONFIG_SSL_PRIVATE_KEY_LOCATION is set).
+
+ The certificate is generated on the fly, and so a minor start-up time
+ penalty is to be expected. This feature adds around 5kB to the
+ library.
+
+ This feature is disabled by default.
+
+config CONFIG_SSL_X509_COMMON_NAME
+ string "X.509 Common Name"
+ depends on CONFIG_SSL_GENERATE_X509_CERT
+ help
+ The common name for the X.509 certificate. This should be the fully
+ qualified domain name (FQDN), e.g. www.foo.com.
+
+ If this is blank, then this will be value from gethostname() and
+ getdomainname().
+
+config CONFIG_SSL_X509_ORGANIZATION_NAME
+ string "X.509 Organization Name"
+ depends on CONFIG_SSL_GENERATE_X509_CERT
+ help
+ The organization name for the generated X.509 certificate.
+
+ This field is optional.
+
+config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
+ string "X.509 Organization Unit Name"
+ depends on CONFIG_SSL_GENERATE_X509_CERT
+ help
+ The organization unit name for the generated X.509 certificate.
+
+ This field is optional.
+
+config CONFIG_SSL_ENABLE_V23_HANDSHAKE
+ bool "Enable v23 Handshake"
+ default y
+ help
+ Some browsers use the v23 handshake client hello message
+ (an SSL2 format message which all SSL servers can understand).
+ It may be used if SSL2 is enabled in the browser.
+
+ Since this feature takes a kB or so, this feature may be disabled - at
+ the risk of making it incompatible with some browsers (IE6 is ok,
+ Firefox 1.5 and below use it).
+
+ Disable if backwards compatibility is not an issue (i.e. the client is
+ always using TLS1.0)
+
+config CONFIG_SSL_HAS_PEM
+ bool "Enable PEM"
+ default n if !CONFIG_SSL_FULL_MODE
+ default y if CONFIG_SSL_FULL_MODE
+ depends on !CONFIG_SSL_SKELETON_MODE
+ help
+ Enable the use of PEM format for certificates and private keys.
+
+ PEM is not normally needed - PEM files can be converted into DER files
+ quite easily. However they have the convenience of allowing multiple
+ certificates/keys in the same file.
+
+ This feature will add a couple of kB to the library.
+
+ Disable if PEM is not used (which will be in most cases).
+
+config CONFIG_SSL_USE_PKCS12
+ bool "Use PKCS8/PKCS12"
+ default n if !CONFIG_SSL_FULL_MODE
+ default y if CONFIG_SSL_FULL_MODE
+ depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
+ help
+ PKCS#12 certificates combine private keys and certificates together in
+ one file.
+
+ PKCS#8 private keys are also suppported (as it is a subset of PKCS#12).
+
+ The decryption of these certificates uses RC4-128 (and these
+ certificates must be encrypted using this cipher). The actual
+ algorithm is "PBE-SHA1-RC4-128".
+
+ Disable if PKCS#12 is not used (which will be in most cases).
+
+config CONFIG_SSL_EXPIRY_TIME
+ int "Session expiry time (in hours)"
+ depends on !CONFIG_SSL_SKELETON_MODE
+ default 24
+ help
+ The time (in hours) before a session expires.
+
+ A longer time means that the expensive parts of a handshake don't
+ need to be run when a client reconnects later.
+
+ The default is 1 day.
+
+config CONFIG_X509_MAX_CA_CERTS
+ int "Maximum number of certificate authorites"
+ default 4
+ depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
+ help
+ Determines the number of CA's allowed.
+
+ Increase this figure if more trusted sites are allowed. Each
+ certificate adds about 300 bytes (when added).
+
+ The default is to allow four certification authorities.
+
+config CONFIG_SSL_MAX_CERTS
+ int "Maximum number of chained certificates"
+ default 2
+ help
+ Determines the number of certificates used in a certificate
+ chain. The chain length must be at least 1.
+
+ Increase this figure if more certificates are to be added to the
+ chain. Each certificate adds about 300 bytes (when added).
+
+ The default is to allow one certificate + 1 certificate in the chain
+ (which may be the certificate authority certificate).
+
+config CONFIG_SSL_CTX_MUTEXING
+ bool "Enable SSL_CTX mutexing"
+ default n
+ help
+ Normally mutexing is not required - each SSL_CTX object can deal with
+ many SSL objects (as long as each SSL_CTX object is using a single
+ thread).
+
+ If the SSL_CTX object is not thread safe e.g. the case where a
+ new thread is created for each SSL object, then mutexing is required.
+
+ Select y when a mutex on the SSL_CTX object is required.
+
+config CONFIG_USE_DEV_URANDOM
+ bool "Use /dev/urandom"
+ default y
+ depends on !CONFIG_PLATFORM_WIN32
+ help
+ Use /dev/urandom. Otherwise a custom RNG is used.
+
+ This will be the default on most Linux systems.
+
+config CONFIG_WIN32_USE_CRYPTO_LIB
+ bool "Use Win32 Crypto Library"
+ depends on CONFIG_PLATFORM_WIN32
+ help
+ Microsoft produce a Crypto API which requires the Platform SDK to be
+ installed. It's used for the RNG.
+
+ This will be the default on most Win32 systems.
+
+config CONFIG_OPENSSL_COMPATIBLE
+ bool "Enable openssl API compatibility"
+ default n
+ help
+ To ease the porting of openssl applications, a subset of the openssl
+ API is wrapped around the axTLS API.
+
+ Note: not all the API is implemented, so parts may still break. And
+ it's definitely not 100% compatible.
+
+config CONFIG_PERFORMANCE_TESTING
+ bool "Build the bigint performance test tool"
+ default n
+ help
+ Used for performance testing of bigint.
+
+ This is a testing tool and is normally disabled.
+
+config CONFIG_SSL_TEST
+ bool "Build the SSL testing tool"
+ default n
+ depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT
+ help
+ Used for sanity checking the SSL handshaking.
+
+ This is a testing tool and is normally disabled.
+
+endmenu
projects / project / luci.git / blobdiff