Config.in 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336
  1. #
  2. # For a description of the syntax of this configuration file,
  3. # see scripts/config/Kconfig-language.txt
  4. #
  5. menu "SSL Library"
  6. choice
  7. prompt "Mode"
  8. default CONFIG_SSL_FULL_MODE
  9. config CONFIG_SSL_SERVER_ONLY
  10. bool "Server only - no verification"
  11. help
  12. Enable server functionality (no client functionality).
  13. This mode still supports sessions and chaining (which can be turned
  14. off in configuration).
  15. The axssl sample runs with the minimum of features.
  16. This is the most space efficient of the modes with the library
  17. about 45kB in size. Use this mode if you are doing standard SSL server
  18. work.
  19. config CONFIG_SSL_CERT_VERIFICATION
  20. bool "Server only - with verification"
  21. help
  22. Enable server functionality with client authentication (no client
  23. functionality).
  24. The axssl sample runs with the "-verify" and "-CAfile" options.
  25. This mode produces a library about 49kB in size. Use this mode if you
  26. have an SSL server which requires client authentication (which is
  27. uncommon in browser applications).
  28. config CONFIG_SSL_ENABLE_CLIENT
  29. bool "Client/Server enabled"
  30. help
  31. Enable client/server functionality (including peer authentication).
  32. The axssl sample runs with the "s_client" option enabled.
  33. This mode produces a library about 51kB in size. Use this mode if you
  34. require axTLS to use SSL client functionality (the SSL server code
  35. is always enabled).
  36. config CONFIG_SSL_FULL_MODE
  37. bool "Client/Server enabled with diagnostics"
  38. help
  39. Enable client/server functionality including diagnostics. Most of the
  40. extra size in this mode is due to the storage of various strings that
  41. are used.
  42. The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa"
  43. This mode produces a library about 58kB in size. It is suggested that
  44. this mode is used only during development, or systems that have more
  45. generous memory limits.
  46. It is the default to demonstrate the features of axTLS.
  47. config CONFIG_SSL_SKELETON_MODE
  48. bool "Skeleton mode - the smallest server mode"
  49. help
  50. This is an experiment to build the smallest library at the expense of
  51. features and speed.
  52. * Server mode only.
  53. * The AES cipher is disabled.
  54. * No session resumption.
  55. * No external keys/certificates are supported.
  56. * The bigint library has most of the performance features disabled.
  57. * Some other features/API calls may not work.
  58. This mode produces a library about 37kB in size. The main
  59. disadvantage of this mode is speed - it will be much slower than the
  60. other build modes.
  61. endchoice
  62. choice
  63. prompt "Protocol Preference"
  64. depends on !CONFIG_SSL_SKELETON_MODE
  65. default CONFIG_SSL_PROT_MEDIUM
  66. config CONFIG_SSL_PROT_LOW
  67. bool "Low"
  68. help
  69. Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA.
  70. This will use the fastest cipher(s) but at the expense of security.
  71. config CONFIG_SSL_PROT_MEDIUM
  72. bool "Medium"
  73. help
  74. Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA.
  75. This mode is a balance between speed and security and is the default.
  76. config CONFIG_SSL_PROT_HIGH
  77. bool "High"
  78. help
  79. Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA.
  80. This will use the strongest cipher(s) at the cost of speed.
  81. endchoice
  82. config CONFIG_SSL_USE_DEFAULT_KEY
  83. bool "Enable default key"
  84. depends on !CONFIG_SSL_SKELETON_MODE
  85. default y
  86. help
  87. Some applications will not require the default private key/certificate
  88. that is built in. This is one way to save on a couple of kB's if an
  89. external private key/certificate is used.
  90. The private key is in ssl/private_key.h and the certificate is in
  91. ssl/cert.h.
  92. The advantage of a built-in private key/certificate is that no file
  93. system is required for access. Both the certificate and the private
  94. key will be automatically loaded on a ssl_ctx_new().
  95. However this private key/certificate can never be changed (without a
  96. code update).
  97. This mode is enabled by default. Disable this mode if the
  98. built-in key/certificate is not used.
  99. config CONFIG_SSL_PRIVATE_KEY_LOCATION
  100. string "Private key file location"
  101. depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
  102. help
  103. The file location of the private key which will be automatically
  104. loaded on a ssl_ctx_new().
  105. config CONFIG_SSL_PRIVATE_KEY_PASSWORD
  106. string "Private key password"
  107. depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM
  108. help
  109. The password required to decrypt a PEM-encoded password file.
  110. config CONFIG_SSL_X509_CERT_LOCATION
  111. string "X.509 certificate file location"
  112. depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
  113. help
  114. The file location of the X.509 certificate which will be automatically
  115. loaded on a ssl_ctx_new().
  116. config CONFIG_SSL_GENERATE_X509_CERT
  117. bool "Generate X.509 Certificate"
  118. default n
  119. help
  120. An X.509 certificate can be automatically generated on a
  121. ssl_ctx_new(). A private key still needs to be provided (the private
  122. key in ss/private_key.h will be used unless
  123. CONFIG_SSL_PRIVATE_KEY_LOCATION is set).
  124. The certificate is generated on the fly, and so a minor start-up time
  125. penalty is to be expected. This feature adds around 5kB to the
  126. library.
  127. This feature is disabled by default.
  128. config CONFIG_SSL_X509_COMMON_NAME
  129. string "X.509 Common Name"
  130. depends on CONFIG_SSL_GENERATE_X509_CERT
  131. help
  132. The common name for the X.509 certificate. This should be the fully
  133. qualified domain name (FQDN), e.g. www.foo.com.
  134. If this is blank, then this will be value from gethostname() and
  135. getdomainname().
  136. config CONFIG_SSL_X509_ORGANIZATION_NAME
  137. string "X.509 Organization Name"
  138. depends on CONFIG_SSL_GENERATE_X509_CERT
  139. help
  140. The organization name for the generated X.509 certificate.
  141. This field is optional.
  142. config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
  143. string "X.509 Organization Unit Name"
  144. depends on CONFIG_SSL_GENERATE_X509_CERT
  145. help
  146. The organization unit name for the generated X.509 certificate.
  147. This field is optional.
  148. config CONFIG_SSL_ENABLE_V23_HANDSHAKE
  149. bool "Enable v23 Handshake"
  150. default y
  151. help
  152. Some browsers use the v23 handshake client hello message
  153. (an SSL2 format message which all SSL servers can understand).
  154. It may be used if SSL2 is enabled in the browser.
  155. Since this feature takes a kB or so, this feature may be disabled - at
  156. the risk of making it incompatible with some browsers (IE6 is ok,
  157. Firefox 1.5 and below use it).
  158. Disable if backwards compatibility is not an issue (i.e. the client is
  159. always using TLS1.0)
  160. config CONFIG_SSL_HAS_PEM
  161. bool "Enable PEM"
  162. default n if !CONFIG_SSL_FULL_MODE
  163. default y if CONFIG_SSL_FULL_MODE
  164. depends on !CONFIG_SSL_SKELETON_MODE
  165. help
  166. Enable the use of PEM format for certificates and private keys.
  167. PEM is not normally needed - PEM files can be converted into DER files
  168. quite easily. However they have the convenience of allowing multiple
  169. certificates/keys in the same file.
  170. This feature will add a couple of kB to the library.
  171. Disable if PEM is not used (which will be in most cases).
  172. config CONFIG_SSL_USE_PKCS12
  173. bool "Use PKCS8/PKCS12"
  174. default n if !CONFIG_SSL_FULL_MODE
  175. default y if CONFIG_SSL_FULL_MODE
  176. depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
  177. help
  178. PKCS#12 certificates combine private keys and certificates together in
  179. one file.
  180. PKCS#8 private keys are also suppported (as it is a subset of PKCS#12).
  181. The decryption of these certificates uses RC4-128 (and these
  182. certificates must be encrypted using this cipher). The actual
  183. algorithm is "PBE-SHA1-RC4-128".
  184. Disable if PKCS#12 is not used (which will be in most cases).
  185. config CONFIG_SSL_EXPIRY_TIME
  186. int "Session expiry time (in hours)"
  187. depends on !CONFIG_SSL_SKELETON_MODE
  188. default 24
  189. help
  190. The time (in hours) before a session expires.
  191. A longer time means that the expensive parts of a handshake don't
  192. need to be run when a client reconnects later.
  193. The default is 1 day.
  194. config CONFIG_X509_MAX_CA_CERTS
  195. int "Maximum number of certificate authorites"
  196. default 4
  197. depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
  198. help
  199. Determines the number of CA's allowed.
  200. Increase this figure if more trusted sites are allowed. Each
  201. certificate adds about 300 bytes (when added).
  202. The default is to allow four certification authorities.
  203. config CONFIG_SSL_MAX_CERTS
  204. int "Maximum number of chained certificates"
  205. default 2
  206. help
  207. Determines the number of certificates used in a certificate
  208. chain. The chain length must be at least 1.
  209. Increase this figure if more certificates are to be added to the
  210. chain. Each certificate adds about 300 bytes (when added).
  211. The default is to allow one certificate + 1 certificate in the chain
  212. (which may be the certificate authority certificate).
  213. config CONFIG_SSL_CTX_MUTEXING
  214. bool "Enable SSL_CTX mutexing"
  215. default n
  216. help
  217. Normally mutexing is not required - each SSL_CTX object can deal with
  218. many SSL objects (as long as each SSL_CTX object is using a single
  219. thread).
  220. If the SSL_CTX object is not thread safe e.g. the case where a
  221. new thread is created for each SSL object, then mutexing is required.
  222. Select y when a mutex on the SSL_CTX object is required.
  223. config CONFIG_USE_DEV_URANDOM
  224. bool "Use /dev/urandom"
  225. default y
  226. depends on !CONFIG_PLATFORM_WIN32
  227. help
  228. Use /dev/urandom. Otherwise a custom RNG is used.
  229. This will be the default on most Linux systems.
  230. config CONFIG_WIN32_USE_CRYPTO_LIB
  231. bool "Use Win32 Crypto Library"
  232. depends on CONFIG_PLATFORM_WIN32
  233. help
  234. Microsoft produce a Crypto API which requires the Platform SDK to be
  235. installed. It's used for the RNG.
  236. This will be the default on most Win32 systems.
  237. config CONFIG_OPENSSL_COMPATIBLE
  238. bool "Enable openssl API compatibility"
  239. default n
  240. help
  241. To ease the porting of openssl applications, a subset of the openssl
  242. API is wrapped around the axTLS API.
  243. Note: not all the API is implemented, so parts may still break. And
  244. it's definitely not 100% compatible.
  245. config CONFIG_PERFORMANCE_TESTING
  246. bool "Build the bigint performance test tool"
  247. default n
  248. help
  249. Used for performance testing of bigint.
  250. This is a testing tool and is normally disabled.
  251. config CONFIG_SSL_TEST
  252. bool "Build the SSL testing tool"
  253. default n
  254. depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT
  255. help
  256. Used for sanity checking the SSL handshaking.
  257. This is a testing tool and is normally disabled.
  258. endmenu