2 # For a description of the syntax of this configuration file,
3 # see scripts/config/Kconfig-language.txt
10 default CONFIG_SSL_FULL_MODE
12 config CONFIG_SSL_SERVER_ONLY
13 bool "Server only - no verification"
15 Enable server functionality (no client functionality).
16 This mode still supports sessions and chaining (which can be turned
17 off in configuration).
19 The axssl sample runs with the minimum of features.
21 This is the most space efficient of the modes with the library
22 about 45kB in size. Use this mode if you are doing standard SSL server
25 config CONFIG_SSL_CERT_VERIFICATION
26 bool "Server only - with verification"
28 Enable server functionality with client authentication (no client
31 The axssl sample runs with the "-verify" and "-CAfile" options.
33 This mode produces a library about 49kB in size. Use this mode if you
34 have an SSL server which requires client authentication (which is
35 uncommon in browser applications).
37 config CONFIG_SSL_ENABLE_CLIENT
38 bool "Client/Server enabled"
40 Enable client/server functionality (including peer authentication).
42 The axssl sample runs with the "s_client" option enabled.
44 This mode produces a library about 51kB in size. Use this mode if you
45 require axTLS to use SSL client functionality (the SSL server code
48 config CONFIG_SSL_FULL_MODE
49 bool "Client/Server enabled with diagnostics"
51 Enable client/server functionality including diagnostics. Most of the
52 extra size in this mode is due to the storage of various strings that
55 The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa"
57 This mode produces a library about 58kB in size. It is suggested that
58 this mode is used only during development, or systems that have more
59 generous memory limits.
61 It is the default to demonstrate the features of axTLS.
63 config CONFIG_SSL_SKELETON_MODE
64 bool "Skeleton mode - the smallest server mode"
66 This is an experiment to build the smallest library at the expense of
70 * The AES cipher is disabled.
71 * No session resumption.
72 * No external keys/certificates are supported.
73 * The bigint library has most of the performance features disabled.
74 * Some other features/API calls may not work.
76 This mode produces a library about 37kB in size. The main
77 disadvantage of this mode is speed - it will be much slower than the
83 prompt "Protocol Preference"
84 depends on !CONFIG_SSL_SKELETON_MODE
85 default CONFIG_SSL_PROT_MEDIUM
87 config CONFIG_SSL_PROT_LOW
90 Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA.
92 This will use the fastest cipher(s) but at the expense of security.
94 config CONFIG_SSL_PROT_MEDIUM
97 Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA.
99 This mode is a balance between speed and security and is the default.
101 config CONFIG_SSL_PROT_HIGH
104 Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA.
106 This will use the strongest cipher(s) at the cost of speed.
110 config CONFIG_SSL_USE_DEFAULT_KEY
111 bool "Enable default key"
112 depends on !CONFIG_SSL_SKELETON_MODE
115 Some applications will not require the default private key/certificate
116 that is built in. This is one way to save on a couple of kB's if an
117 external private key/certificate is used.
119 The private key is in ssl/private_key.h and the certificate is in
122 The advantage of a built-in private key/certificate is that no file
123 system is required for access. Both the certificate and the private
124 key will be automatically loaded on a ssl_ctx_new().
126 However this private key/certificate can never be changed (without a
129 This mode is enabled by default. Disable this mode if the
130 built-in key/certificate is not used.
132 config CONFIG_SSL_PRIVATE_KEY_LOCATION
133 string "Private key file location"
134 depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
136 The file location of the private key which will be automatically
137 loaded on a ssl_ctx_new().
139 config CONFIG_SSL_PRIVATE_KEY_PASSWORD
140 string "Private key password"
141 depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM
143 The password required to decrypt a PEM-encoded password file.
145 config CONFIG_SSL_X509_CERT_LOCATION
146 string "X.509 certificate file location"
147 depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
149 The file location of the X.509 certificate which will be automatically
150 loaded on a ssl_ctx_new().
152 config CONFIG_SSL_GENERATE_X509_CERT
153 bool "Generate X.509 Certificate"
156 An X.509 certificate can be automatically generated on a
157 ssl_ctx_new(). A private key still needs to be provided (the private
158 key in ss/private_key.h will be used unless
159 CONFIG_SSL_PRIVATE_KEY_LOCATION is set).
161 The certificate is generated on the fly, and so a minor start-up time
162 penalty is to be expected. This feature adds around 5kB to the
165 This feature is disabled by default.
167 config CONFIG_SSL_X509_COMMON_NAME
168 string "X.509 Common Name"
169 depends on CONFIG_SSL_GENERATE_X509_CERT
171 The common name for the X.509 certificate. This should be the fully
172 qualified domain name (FQDN), e.g. www.foo.com.
174 If this is blank, then this will be value from gethostname() and
177 config CONFIG_SSL_X509_ORGANIZATION_NAME
178 string "X.509 Organization Name"
179 depends on CONFIG_SSL_GENERATE_X509_CERT
181 The organization name for the generated X.509 certificate.
183 This field is optional.
185 config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
186 string "X.509 Organization Unit Name"
187 depends on CONFIG_SSL_GENERATE_X509_CERT
189 The organization unit name for the generated X.509 certificate.
191 This field is optional.
193 config CONFIG_SSL_ENABLE_V23_HANDSHAKE
194 bool "Enable v23 Handshake"
197 Some browsers use the v23 handshake client hello message
198 (an SSL2 format message which all SSL servers can understand).
199 It may be used if SSL2 is enabled in the browser.
201 Since this feature takes a kB or so, this feature may be disabled - at
202 the risk of making it incompatible with some browsers (IE6 is ok,
203 Firefox 1.5 and below use it).
205 Disable if backwards compatibility is not an issue (i.e. the client is
208 config CONFIG_SSL_HAS_PEM
210 default n if !CONFIG_SSL_FULL_MODE
211 default y if CONFIG_SSL_FULL_MODE
212 depends on !CONFIG_SSL_SKELETON_MODE
214 Enable the use of PEM format for certificates and private keys.
216 PEM is not normally needed - PEM files can be converted into DER files
217 quite easily. However they have the convenience of allowing multiple
218 certificates/keys in the same file.
220 This feature will add a couple of kB to the library.
222 Disable if PEM is not used (which will be in most cases).
224 config CONFIG_SSL_USE_PKCS12
225 bool "Use PKCS8/PKCS12"
226 default n if !CONFIG_SSL_FULL_MODE
227 default y if CONFIG_SSL_FULL_MODE
228 depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
230 PKCS#12 certificates combine private keys and certificates together in
233 PKCS#8 private keys are also suppported (as it is a subset of PKCS#12).
235 The decryption of these certificates uses RC4-128 (and these
236 certificates must be encrypted using this cipher). The actual
237 algorithm is "PBE-SHA1-RC4-128".
239 Disable if PKCS#12 is not used (which will be in most cases).
241 config CONFIG_SSL_EXPIRY_TIME
242 int "Session expiry time (in hours)"
243 depends on !CONFIG_SSL_SKELETON_MODE
246 The time (in hours) before a session expires.
248 A longer time means that the expensive parts of a handshake don't
249 need to be run when a client reconnects later.
251 The default is 1 day.
253 config CONFIG_X509_MAX_CA_CERTS
254 int "Maximum number of certificate authorites"
256 depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
258 Determines the number of CA's allowed.
260 Increase this figure if more trusted sites are allowed. Each
261 certificate adds about 300 bytes (when added).
263 The default is to allow four certification authorities.
265 config CONFIG_SSL_MAX_CERTS
266 int "Maximum number of chained certificates"
269 Determines the number of certificates used in a certificate
270 chain. The chain length must be at least 1.
272 Increase this figure if more certificates are to be added to the
273 chain. Each certificate adds about 300 bytes (when added).
275 The default is to allow one certificate + 1 certificate in the chain
276 (which may be the certificate authority certificate).
278 config CONFIG_SSL_CTX_MUTEXING
279 bool "Enable SSL_CTX mutexing"
282 Normally mutexing is not required - each SSL_CTX object can deal with
283 many SSL objects (as long as each SSL_CTX object is using a single
286 If the SSL_CTX object is not thread safe e.g. the case where a
287 new thread is created for each SSL object, then mutexing is required.
289 Select y when a mutex on the SSL_CTX object is required.
291 config CONFIG_USE_DEV_URANDOM
292 bool "Use /dev/urandom"
294 depends on !CONFIG_PLATFORM_WIN32
296 Use /dev/urandom. Otherwise a custom RNG is used.
298 This will be the default on most Linux systems.
300 config CONFIG_WIN32_USE_CRYPTO_LIB
301 bool "Use Win32 Crypto Library"
302 depends on CONFIG_PLATFORM_WIN32
304 Microsoft produce a Crypto API which requires the Platform SDK to be
305 installed. It's used for the RNG.
307 This will be the default on most Win32 systems.
309 config CONFIG_OPENSSL_COMPATIBLE
310 bool "Enable openssl API compatibility"
313 To ease the porting of openssl applications, a subset of the openssl
314 API is wrapped around the axTLS API.
316 Note: not all the API is implemented, so parts may still break. And
317 it's definitely not 100% compatible.
319 config CONFIG_PERFORMANCE_TESTING
320 bool "Build the bigint performance test tool"
323 Used for performance testing of bigint.
325 This is a testing tool and is normally disabled.
327 config CONFIG_SSL_TEST
328 bool "Build the SSL testing tool"
330 depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT
332 Used for sanity checking the SSL handshaking.
334 This is a testing tool and is normally disabled.