+++ /dev/null
-#
-# For a description of the syntax of this configuration file,
-# see scripts/config/Kconfig-language.txt
-#
-
-menu "SSL Library"
-
-choice
- prompt "Mode"
- default CONFIG_SSL_FULL_MODE
-
-config CONFIG_SSL_SERVER_ONLY
- bool "Server only - no verification"
- help
- Enable server functionality (no client functionality).
- This mode still supports sessions and chaining (which can be turned
- off in configuration).
-
- The axssl sample runs with the minimum of features.
-
- This is the most space efficient of the modes with the library
- about 45kB in size. Use this mode if you are doing standard SSL server
- work.
-
-config CONFIG_SSL_CERT_VERIFICATION
- bool "Server only - with verification"
- help
- Enable server functionality with client authentication (no client
- functionality).
-
- The axssl sample runs with the "-verify" and "-CAfile" options.
-
- This mode produces a library about 49kB in size. Use this mode if you
- have an SSL server which requires client authentication (which is
- uncommon in browser applications).
-
-config CONFIG_SSL_ENABLE_CLIENT
- bool "Client/Server enabled"
- help
- Enable client/server functionality (including peer authentication).
-
- The axssl sample runs with the "s_client" option enabled.
-
- This mode produces a library about 51kB in size. Use this mode if you
- require axTLS to use SSL client functionality (the SSL server code
- is always enabled).
-
-config CONFIG_SSL_FULL_MODE
- bool "Client/Server enabled with diagnostics"
- help
- Enable client/server functionality including diagnostics. Most of the
- extra size in this mode is due to the storage of various strings that
- are used.
-
- The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa"
-
- This mode produces a library about 58kB in size. It is suggested that
- this mode is used only during development, or systems that have more
- generous memory limits.
-
- It is the default to demonstrate the features of axTLS.
-
-config CONFIG_SSL_SKELETON_MODE
- bool "Skeleton mode - the smallest server mode"
- help
- This is an experiment to build the smallest library at the expense of
- features and speed.
-
- * Server mode only.
- * The AES cipher is disabled.
- * No session resumption.
- * No external keys/certificates are supported.
- * The bigint library has most of the performance features disabled.
- * Some other features/API calls may not work.
-
- This mode produces a library about 37kB in size. The main
- disadvantage of this mode is speed - it will be much slower than the
- other build modes.
-
-endchoice
-
-choice
- prompt "Protocol Preference"
- depends on !CONFIG_SSL_SKELETON_MODE
- default CONFIG_SSL_PROT_MEDIUM
-
-config CONFIG_SSL_PROT_LOW
- bool "Low"
- help
- Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA.
-
- This will use the fastest cipher(s) but at the expense of security.
-
-config CONFIG_SSL_PROT_MEDIUM
- bool "Medium"
- help
- Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA.
-
- This mode is a balance between speed and security and is the default.
-
-config CONFIG_SSL_PROT_HIGH
- bool "High"
- help
- Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA.
-
- This will use the strongest cipher(s) at the cost of speed.
-
-endchoice
-
-config CONFIG_SSL_USE_DEFAULT_KEY
- bool "Enable default key"
- depends on !CONFIG_SSL_SKELETON_MODE
- default y
- help
- Some applications will not require the default private key/certificate
- that is built in. This is one way to save on a couple of kB's if an
- external private key/certificate is used.
-
- The private key is in ssl/private_key.h and the certificate is in
- ssl/cert.h.
-
- The advantage of a built-in private key/certificate is that no file
- system is required for access. Both the certificate and the private
- key will be automatically loaded on a ssl_ctx_new().
-
- However this private key/certificate can never be changed (without a
- code update).
-
- This mode is enabled by default. Disable this mode if the
- built-in key/certificate is not used.
-
-config CONFIG_SSL_PRIVATE_KEY_LOCATION
- string "Private key file location"
- depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
- help
- The file location of the private key which will be automatically
- loaded on a ssl_ctx_new().
-
-config CONFIG_SSL_PRIVATE_KEY_PASSWORD
- string "Private key password"
- depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM
- help
- The password required to decrypt a PEM-encoded password file.
-
-config CONFIG_SSL_X509_CERT_LOCATION
- string "X.509 certificate file location"
- depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
- help
- The file location of the X.509 certificate which will be automatically
- loaded on a ssl_ctx_new().
-
-config CONFIG_SSL_GENERATE_X509_CERT
- bool "Generate X.509 Certificate"
- default n
- help
- An X.509 certificate can be automatically generated on a
- ssl_ctx_new(). A private key still needs to be provided (the private
- key in ss/private_key.h will be used unless
- CONFIG_SSL_PRIVATE_KEY_LOCATION is set).
-
- The certificate is generated on the fly, and so a minor start-up time
- penalty is to be expected. This feature adds around 5kB to the
- library.
-
- This feature is disabled by default.
-
-config CONFIG_SSL_X509_COMMON_NAME
- string "X.509 Common Name"
- depends on CONFIG_SSL_GENERATE_X509_CERT
- help
- The common name for the X.509 certificate. This should be the fully
- qualified domain name (FQDN), e.g. www.foo.com.
-
- If this is blank, then this will be value from gethostname() and
- getdomainname().
-
-config CONFIG_SSL_X509_ORGANIZATION_NAME
- string "X.509 Organization Name"
- depends on CONFIG_SSL_GENERATE_X509_CERT
- help
- The organization name for the generated X.509 certificate.
-
- This field is optional.
-
-config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
- string "X.509 Organization Unit Name"
- depends on CONFIG_SSL_GENERATE_X509_CERT
- help
- The organization unit name for the generated X.509 certificate.
-
- This field is optional.
-
-config CONFIG_SSL_ENABLE_V23_HANDSHAKE
- bool "Enable v23 Handshake"
- default y
- help
- Some browsers use the v23 handshake client hello message
- (an SSL2 format message which all SSL servers can understand).
- It may be used if SSL2 is enabled in the browser.
-
- Since this feature takes a kB or so, this feature may be disabled - at
- the risk of making it incompatible with some browsers (IE6 is ok,
- Firefox 1.5 and below use it).
-
- Disable if backwards compatibility is not an issue (i.e. the client is
- always using TLS1.0)
-
-config CONFIG_SSL_HAS_PEM
- bool "Enable PEM"
- default n if !CONFIG_SSL_FULL_MODE
- default y if CONFIG_SSL_FULL_MODE
- depends on !CONFIG_SSL_SKELETON_MODE
- help
- Enable the use of PEM format for certificates and private keys.
-
- PEM is not normally needed - PEM files can be converted into DER files
- quite easily. However they have the convenience of allowing multiple
- certificates/keys in the same file.
-
- This feature will add a couple of kB to the library.
-
- Disable if PEM is not used (which will be in most cases).
-
-config CONFIG_SSL_USE_PKCS12
- bool "Use PKCS8/PKCS12"
- default n if !CONFIG_SSL_FULL_MODE
- default y if CONFIG_SSL_FULL_MODE
- depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
- help
- PKCS#12 certificates combine private keys and certificates together in
- one file.
-
- PKCS#8 private keys are also suppported (as it is a subset of PKCS#12).
-
- The decryption of these certificates uses RC4-128 (and these
- certificates must be encrypted using this cipher). The actual
- algorithm is "PBE-SHA1-RC4-128".
-
- Disable if PKCS#12 is not used (which will be in most cases).
-
-config CONFIG_SSL_EXPIRY_TIME
- int "Session expiry time (in hours)"
- depends on !CONFIG_SSL_SKELETON_MODE
- default 24
- help
- The time (in hours) before a session expires.
-
- A longer time means that the expensive parts of a handshake don't
- need to be run when a client reconnects later.
-
- The default is 1 day.
-
-config CONFIG_X509_MAX_CA_CERTS
- int "Maximum number of certificate authorites"
- default 4
- depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
- help
- Determines the number of CA's allowed.
-
- Increase this figure if more trusted sites are allowed. Each
- certificate adds about 300 bytes (when added).
-
- The default is to allow four certification authorities.
-
-config CONFIG_SSL_MAX_CERTS
- int "Maximum number of chained certificates"
- default 2
- help
- Determines the number of certificates used in a certificate
- chain. The chain length must be at least 1.
-
- Increase this figure if more certificates are to be added to the
- chain. Each certificate adds about 300 bytes (when added).
-
- The default is to allow one certificate + 1 certificate in the chain
- (which may be the certificate authority certificate).
-
-config CONFIG_SSL_CTX_MUTEXING
- bool "Enable SSL_CTX mutexing"
- default n
- help
- Normally mutexing is not required - each SSL_CTX object can deal with
- many SSL objects (as long as each SSL_CTX object is using a single
- thread).
-
- If the SSL_CTX object is not thread safe e.g. the case where a
- new thread is created for each SSL object, then mutexing is required.
-
- Select y when a mutex on the SSL_CTX object is required.
-
-config CONFIG_USE_DEV_URANDOM
- bool "Use /dev/urandom"
- default y
- depends on !CONFIG_PLATFORM_WIN32
- help
- Use /dev/urandom. Otherwise a custom RNG is used.
-
- This will be the default on most Linux systems.
-
-config CONFIG_WIN32_USE_CRYPTO_LIB
- bool "Use Win32 Crypto Library"
- depends on CONFIG_PLATFORM_WIN32
- help
- Microsoft produce a Crypto API which requires the Platform SDK to be
- installed. It's used for the RNG.
-
- This will be the default on most Win32 systems.
-
-config CONFIG_OPENSSL_COMPATIBLE
- bool "Enable openssl API compatibility"
- default n
- help
- To ease the porting of openssl applications, a subset of the openssl
- API is wrapped around the axTLS API.
-
- Note: not all the API is implemented, so parts may still break. And
- it's definitely not 100% compatible.
-
-config CONFIG_PERFORMANCE_TESTING
- bool "Build the bigint performance test tool"
- default n
- help
- Used for performance testing of bigint.
-
- This is a testing tool and is normally disabled.
-
-config CONFIG_SSL_TEST
- bool "Build the SSL testing tool"
- default n
- depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT
- help
- Used for sanity checking the SSL handshaking.
-
- This is a testing tool and is normally disabled.
-
-endmenu
projects / project / luci.git / blobdiff