X-Git-Url: https://git.archive.openwrt.org/?p=project%2Fluci.git;a=blobdiff_plain;f=libs%2Fluci-lib-nixio%2FaxTLS%2Fssl%2FConfig.in;fp=libs%2Fluci-lib-nixio%2FaxTLS%2Fssl%2FConfig.in;h=d047d420ecd839b4f2475da3b60fd6a62d20f8cf;hp=0000000000000000000000000000000000000000;hb=1bb4822dca6113f73e3bc89e2acf15935e6f8e92;hpb=9edd0e46c3f880727738ce8ca6ff1c8b85f99ef4 diff --git a/libs/luci-lib-nixio/axTLS/ssl/Config.in b/libs/luci-lib-nixio/axTLS/ssl/Config.in new file mode 100644 index 000000000..d047d420e --- /dev/null +++ b/libs/luci-lib-nixio/axTLS/ssl/Config.in @@ -0,0 +1,336 @@ +# +# For a description of the syntax of this configuration file, +# see scripts/config/Kconfig-language.txt +# + +menu "SSL Library" + +choice + prompt "Mode" + default CONFIG_SSL_FULL_MODE + +config CONFIG_SSL_SERVER_ONLY + bool "Server only - no verification" + help + Enable server functionality (no client functionality). + This mode still supports sessions and chaining (which can be turned + off in configuration). + + The axssl sample runs with the minimum of features. + + This is the most space efficient of the modes with the library + about 45kB in size. Use this mode if you are doing standard SSL server + work. + +config CONFIG_SSL_CERT_VERIFICATION + bool "Server only - with verification" + help + Enable server functionality with client authentication (no client + functionality). + + The axssl sample runs with the "-verify" and "-CAfile" options. + + This mode produces a library about 49kB in size. Use this mode if you + have an SSL server which requires client authentication (which is + uncommon in browser applications). + +config CONFIG_SSL_ENABLE_CLIENT + bool "Client/Server enabled" + help + Enable client/server functionality (including peer authentication). + + The axssl sample runs with the "s_client" option enabled. + + This mode produces a library about 51kB in size. Use this mode if you + require axTLS to use SSL client functionality (the SSL server code + is always enabled). + +config CONFIG_SSL_FULL_MODE + bool "Client/Server enabled with diagnostics" + help + Enable client/server functionality including diagnostics. Most of the + extra size in this mode is due to the storage of various strings that + are used. + + The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa" + + This mode produces a library about 58kB in size. It is suggested that + this mode is used only during development, or systems that have more + generous memory limits. + + It is the default to demonstrate the features of axTLS. + +config CONFIG_SSL_SKELETON_MODE + bool "Skeleton mode - the smallest server mode" + help + This is an experiment to build the smallest library at the expense of + features and speed. + + * Server mode only. + * The AES cipher is disabled. + * No session resumption. + * No external keys/certificates are supported. + * The bigint library has most of the performance features disabled. + * Some other features/API calls may not work. + + This mode produces a library about 37kB in size. The main + disadvantage of this mode is speed - it will be much slower than the + other build modes. + +endchoice + +choice + prompt "Protocol Preference" + depends on !CONFIG_SSL_SKELETON_MODE + default CONFIG_SSL_PROT_MEDIUM + +config CONFIG_SSL_PROT_LOW + bool "Low" + help + Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA. + + This will use the fastest cipher(s) but at the expense of security. + +config CONFIG_SSL_PROT_MEDIUM + bool "Medium" + help + Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA. + + This mode is a balance between speed and security and is the default. + +config CONFIG_SSL_PROT_HIGH + bool "High" + help + Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA. + + This will use the strongest cipher(s) at the cost of speed. + +endchoice + +config CONFIG_SSL_USE_DEFAULT_KEY + bool "Enable default key" + depends on !CONFIG_SSL_SKELETON_MODE + default y + help + Some applications will not require the default private key/certificate + that is built in. This is one way to save on a couple of kB's if an + external private key/certificate is used. + + The private key is in ssl/private_key.h and the certificate is in + ssl/cert.h. + + The advantage of a built-in private key/certificate is that no file + system is required for access. Both the certificate and the private + key will be automatically loaded on a ssl_ctx_new(). + + However this private key/certificate can never be changed (without a + code update). + + This mode is enabled by default. Disable this mode if the + built-in key/certificate is not used. + +config CONFIG_SSL_PRIVATE_KEY_LOCATION + string "Private key file location" + depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE + help + The file location of the private key which will be automatically + loaded on a ssl_ctx_new(). + +config CONFIG_SSL_PRIVATE_KEY_PASSWORD + string "Private key password" + depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM + help + The password required to decrypt a PEM-encoded password file. + +config CONFIG_SSL_X509_CERT_LOCATION + string "X.509 certificate file location" + depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE + help + The file location of the X.509 certificate which will be automatically + loaded on a ssl_ctx_new(). + +config CONFIG_SSL_GENERATE_X509_CERT + bool "Generate X.509 Certificate" + default n + help + An X.509 certificate can be automatically generated on a + ssl_ctx_new(). A private key still needs to be provided (the private + key in ss/private_key.h will be used unless + CONFIG_SSL_PRIVATE_KEY_LOCATION is set). + + The certificate is generated on the fly, and so a minor start-up time + penalty is to be expected. This feature adds around 5kB to the + library. + + This feature is disabled by default. + +config CONFIG_SSL_X509_COMMON_NAME + string "X.509 Common Name" + depends on CONFIG_SSL_GENERATE_X509_CERT + help + The common name for the X.509 certificate. This should be the fully + qualified domain name (FQDN), e.g. www.foo.com. + + If this is blank, then this will be value from gethostname() and + getdomainname(). + +config CONFIG_SSL_X509_ORGANIZATION_NAME + string "X.509 Organization Name" + depends on CONFIG_SSL_GENERATE_X509_CERT + help + The organization name for the generated X.509 certificate. + + This field is optional. + +config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME + string "X.509 Organization Unit Name" + depends on CONFIG_SSL_GENERATE_X509_CERT + help + The organization unit name for the generated X.509 certificate. + + This field is optional. + +config CONFIG_SSL_ENABLE_V23_HANDSHAKE + bool "Enable v23 Handshake" + default y + help + Some browsers use the v23 handshake client hello message + (an SSL2 format message which all SSL servers can understand). + It may be used if SSL2 is enabled in the browser. + + Since this feature takes a kB or so, this feature may be disabled - at + the risk of making it incompatible with some browsers (IE6 is ok, + Firefox 1.5 and below use it). + + Disable if backwards compatibility is not an issue (i.e. the client is + always using TLS1.0) + +config CONFIG_SSL_HAS_PEM + bool "Enable PEM" + default n if !CONFIG_SSL_FULL_MODE + default y if CONFIG_SSL_FULL_MODE + depends on !CONFIG_SSL_SKELETON_MODE + help + Enable the use of PEM format for certificates and private keys. + + PEM is not normally needed - PEM files can be converted into DER files + quite easily. However they have the convenience of allowing multiple + certificates/keys in the same file. + + This feature will add a couple of kB to the library. + + Disable if PEM is not used (which will be in most cases). + +config CONFIG_SSL_USE_PKCS12 + bool "Use PKCS8/PKCS12" + default n if !CONFIG_SSL_FULL_MODE + default y if CONFIG_SSL_FULL_MODE + depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE + help + PKCS#12 certificates combine private keys and certificates together in + one file. + + PKCS#8 private keys are also suppported (as it is a subset of PKCS#12). + + The decryption of these certificates uses RC4-128 (and these + certificates must be encrypted using this cipher). The actual + algorithm is "PBE-SHA1-RC4-128". + + Disable if PKCS#12 is not used (which will be in most cases). + +config CONFIG_SSL_EXPIRY_TIME + int "Session expiry time (in hours)" + depends on !CONFIG_SSL_SKELETON_MODE + default 24 + help + The time (in hours) before a session expires. + + A longer time means that the expensive parts of a handshake don't + need to be run when a client reconnects later. + + The default is 1 day. + +config CONFIG_X509_MAX_CA_CERTS + int "Maximum number of certificate authorites" + default 4 + depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE + help + Determines the number of CA's allowed. + + Increase this figure if more trusted sites are allowed. Each + certificate adds about 300 bytes (when added). + + The default is to allow four certification authorities. + +config CONFIG_SSL_MAX_CERTS + int "Maximum number of chained certificates" + default 2 + help + Determines the number of certificates used in a certificate + chain. The chain length must be at least 1. + + Increase this figure if more certificates are to be added to the + chain. Each certificate adds about 300 bytes (when added). + + The default is to allow one certificate + 1 certificate in the chain + (which may be the certificate authority certificate). + +config CONFIG_SSL_CTX_MUTEXING + bool "Enable SSL_CTX mutexing" + default n + help + Normally mutexing is not required - each SSL_CTX object can deal with + many SSL objects (as long as each SSL_CTX object is using a single + thread). + + If the SSL_CTX object is not thread safe e.g. the case where a + new thread is created for each SSL object, then mutexing is required. + + Select y when a mutex on the SSL_CTX object is required. + +config CONFIG_USE_DEV_URANDOM + bool "Use /dev/urandom" + default y + depends on !CONFIG_PLATFORM_WIN32 + help + Use /dev/urandom. Otherwise a custom RNG is used. + + This will be the default on most Linux systems. + +config CONFIG_WIN32_USE_CRYPTO_LIB + bool "Use Win32 Crypto Library" + depends on CONFIG_PLATFORM_WIN32 + help + Microsoft produce a Crypto API which requires the Platform SDK to be + installed. It's used for the RNG. + + This will be the default on most Win32 systems. + +config CONFIG_OPENSSL_COMPATIBLE + bool "Enable openssl API compatibility" + default n + help + To ease the porting of openssl applications, a subset of the openssl + API is wrapped around the axTLS API. + + Note: not all the API is implemented, so parts may still break. And + it's definitely not 100% compatible. + +config CONFIG_PERFORMANCE_TESTING + bool "Build the bigint performance test tool" + default n + help + Used for performance testing of bigint. + + This is a testing tool and is normally disabled. + +config CONFIG_SSL_TEST + bool "Build the SSL testing tool" + default n + depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT + help + Used for sanity checking the SSL handshaking. + + This is a testing tool and is normally disabled. + +endmenu