322 lines
11 KiB
Text
322 lines
11 KiB
Text
|
#
|
||
|
# For a description of the syntax of this configuration file,
|
||
|
# see scripts/config/Kconfig-language.txt
|
||
|
#
|
||
|
|
||
|
menu "SSL Library"
|
||
|
|
||
|
choice
|
||
|
prompt "Mode"
|
||
|
default CONFIG_SSL_FULL_MODE
|
||
|
|
||
|
config CONFIG_SSL_SERVER_ONLY
|
||
|
bool "Server only - no verification"
|
||
|
help
|
||
|
Enable server functionality (no client functionality).
|
||
|
This mode still supports sessions and chaining (which can be turned
|
||
|
off in configuration).
|
||
|
|
||
|
The axssl sample runs with the minimum of features.
|
||
|
|
||
|
This is the most space efficient of the modes with the library
|
||
|
about 45kB in size. Use this mode if you are doing standard SSL server
|
||
|
work.
|
||
|
|
||
|
config CONFIG_SSL_CERT_VERIFICATION
|
||
|
bool "Server only - with verification"
|
||
|
help
|
||
|
Enable server functionality with client authentication (no client
|
||
|
functionality).
|
||
|
|
||
|
The axssl sample runs with the "-verify" and "-CAfile" options.
|
||
|
|
||
|
This mode produces a library about 49kB in size. Use this mode if you
|
||
|
have an SSL server which requires client authentication (which is
|
||
|
uncommon in browser applications).
|
||
|
|
||
|
config CONFIG_SSL_ENABLE_CLIENT
|
||
|
bool "Client/Server enabled"
|
||
|
help
|
||
|
Enable client/server functionality (including peer authentication).
|
||
|
|
||
|
The axssl sample runs with the "s_client" option enabled.
|
||
|
|
||
|
This mode produces a library about 51kB in size. Use this mode if you
|
||
|
require axTLS to use SSL client functionality (the SSL server code
|
||
|
is always enabled).
|
||
|
|
||
|
config CONFIG_SSL_FULL_MODE
|
||
|
bool "Client/Server enabled with diagnostics"
|
||
|
help
|
||
|
Enable client/server functionality including diagnostics. Most of the
|
||
|
extra size in this mode is due to the storage of various strings that
|
||
|
are used.
|
||
|
|
||
|
The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa"
|
||
|
|
||
|
This mode produces a library about 58kB in size. It is suggested that
|
||
|
this mode is used only during development, or systems that have more
|
||
|
generous memory limits.
|
||
|
|
||
|
It is the default to demonstrate the features of axTLS.
|
||
|
|
||
|
config CONFIG_SSL_SKELETON_MODE
|
||
|
bool "Skeleton mode - the smallest server mode"
|
||
|
help
|
||
|
This is an experiment to build the smallest library at the expense of
|
||
|
features and speed.
|
||
|
|
||
|
* Server mode only.
|
||
|
* The AES cipher is disabled.
|
||
|
* No session resumption.
|
||
|
* No external keys/certificates are supported.
|
||
|
* The bigint library has most of the performance features disabled.
|
||
|
* Some other features/API calls may not work.
|
||
|
|
||
|
This mode produces a library about 37kB in size. The main
|
||
|
disadvantage of this mode is speed - it will be much slower than the
|
||
|
other build modes.
|
||
|
|
||
|
endchoice
|
||
|
|
||
|
choice
|
||
|
prompt "Protocol Preference"
|
||
|
depends on !CONFIG_SSL_SKELETON_MODE
|
||
|
default CONFIG_SSL_PROT_MEDIUM
|
||
|
|
||
|
config CONFIG_SSL_PROT_LOW
|
||
|
bool "Low"
|
||
|
help
|
||
|
Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA.
|
||
|
|
||
|
This will use the fastest cipher(s) but at the expense of security.
|
||
|
|
||
|
config CONFIG_SSL_PROT_MEDIUM
|
||
|
bool "Medium"
|
||
|
help
|
||
|
Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA.
|
||
|
|
||
|
This mode is a balance between speed and security and is the default.
|
||
|
|
||
|
config CONFIG_SSL_PROT_HIGH
|
||
|
bool "High"
|
||
|
help
|
||
|
Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA.
|
||
|
|
||
|
This will use the strongest cipher(s) at the cost of speed.
|
||
|
|
||
|
endchoice
|
||
|
|
||
|
config CONFIG_SSL_USE_DEFAULT_KEY
|
||
|
bool "Enable default key"
|
||
|
depends on !CONFIG_SSL_SKELETON_MODE
|
||
|
default y
|
||
|
help
|
||
|
Some applications will not require the default private key/certificate
|
||
|
that is built in. This is one way to save on a couple of kB's if an
|
||
|
external private key/certificate is used.
|
||
|
|
||
|
The private key is in ssl/private_key.h and the certificate is in
|
||
|
ssl/cert.h.
|
||
|
|
||
|
The advantage of a built-in private key/certificate is that no file
|
||
|
system is required for access. Both the certificate and the private
|
||
|
key will be automatically loaded on a ssl_ctx_new().
|
||
|
|
||
|
However this private key/certificate can never be changed (without a
|
||
|
code update).
|
||
|
|
||
|
This mode is enabled by default. Disable this mode if the
|
||
|
built-in key/certificate is not used.
|
||
|
|
||
|
config CONFIG_SSL_PRIVATE_KEY_LOCATION
|
||
|
string "Private key file location"
|
||
|
depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
|
||
|
help
|
||
|
The file location of the private key which will be automatically
|
||
|
loaded on a ssl_ctx_new().
|
||
|
|
||
|
config CONFIG_SSL_PRIVATE_KEY_PASSWORD
|
||
|
string "Private key password"
|
||
|
depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM
|
||
|
help
|
||
|
The password required to decrypt a PEM-encoded password file.
|
||
|
|
||
|
config CONFIG_SSL_X509_CERT_LOCATION
|
||
|
string "X.509 certificate file location"
|
||
|
depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
|
||
|
help
|
||
|
The file location of the X.509 certificate which will be automatically
|
||
|
loaded on a ssl_ctx_new().
|
||
|
|
||
|
config CONFIG_SSL_GENERATE_X509_CERT
|
||
|
bool "Generate X.509 Certificate"
|
||
|
default n
|
||
|
help
|
||
|
An X.509 certificate can be automatically generated on a
|
||
|
ssl_ctx_new(). A private key still needs to be provided (the private
|
||
|
key in ss/private_key.h will be used unless
|
||
|
CONFIG_SSL_PRIVATE_KEY_LOCATION is set).
|
||
|
|
||
|
The certificate is generated on the fly, and so a minor start-up time
|
||
|
penalty is to be expected. This feature adds around 5kB to the
|
||
|
library.
|
||
|
|
||
|
This feature is disabled by default.
|
||
|
|
||
|
config CONFIG_SSL_X509_COMMON_NAME
|
||
|
string "X.509 Common Name"
|
||
|
depends on CONFIG_SSL_GENERATE_X509_CERT
|
||
|
help
|
||
|
The common name for the X.509 certificate. This should be the fully
|
||
|
qualified domain name (FQDN), e.g. www.foo.com.
|
||
|
|
||
|
If this is blank, then this will be value from gethostname() and
|
||
|
getdomainname().
|
||
|
|
||
|
config CONFIG_SSL_X509_ORGANIZATION_NAME
|
||
|
string "X.509 Organization Name"
|
||
|
depends on CONFIG_SSL_GENERATE_X509_CERT
|
||
|
help
|
||
|
The organization name for the generated X.509 certificate.
|
||
|
|
||
|
This field is optional.
|
||
|
|
||
|
config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
|
||
|
string "X.509 Organization Unit Name"
|
||
|
depends on CONFIG_SSL_GENERATE_X509_CERT
|
||
|
help
|
||
|
The organization unit name for the generated X.509 certificate.
|
||
|
|
||
|
This field is optional.
|
||
|
|
||
|
config CONFIG_SSL_HAS_PEM
|
||
|
bool "Enable PEM"
|
||
|
default n if !CONFIG_SSL_FULL_MODE
|
||
|
default y if CONFIG_SSL_FULL_MODE
|
||
|
depends on !CONFIG_SSL_SKELETON_MODE
|
||
|
help
|
||
|
Enable the use of PEM format for certificates and private keys.
|
||
|
|
||
|
PEM is not normally needed - PEM files can be converted into DER files
|
||
|
quite easily. However they have the convenience of allowing multiple
|
||
|
certificates/keys in the same file.
|
||
|
|
||
|
This feature will add a couple of kB to the library.
|
||
|
|
||
|
Disable if PEM is not used (which will be in most cases).
|
||
|
|
||
|
config CONFIG_SSL_USE_PKCS12
|
||
|
bool "Use PKCS8/PKCS12"
|
||
|
default n if !CONFIG_SSL_FULL_MODE
|
||
|
default y if CONFIG_SSL_FULL_MODE
|
||
|
depends on !CONFIG_SSL_SKELETON_MODE
|
||
|
help
|
||
|
PKCS#12 certificates combine private keys and certificates together in
|
||
|
one file.
|
||
|
|
||
|
PKCS#8 private keys are also suppported (as it is a subset of PKCS#12).
|
||
|
|
||
|
The decryption of these certificates uses RC4-128 (and these
|
||
|
certificates must be encrypted using this cipher). The actual
|
||
|
algorithm is "PBE-SHA1-RC4-128".
|
||
|
|
||
|
Disable if PKCS#12 is not used (which will be in most cases).
|
||
|
|
||
|
config CONFIG_SSL_EXPIRY_TIME
|
||
|
int "Session expiry time (in hours)"
|
||
|
depends on !CONFIG_SSL_SKELETON_MODE
|
||
|
default 24
|
||
|
help
|
||
|
The time (in hours) before a session expires.
|
||
|
|
||
|
A longer time means that the expensive parts of a handshake don't
|
||
|
need to be run when a client reconnects later.
|
||
|
|
||
|
The default is 1 day.
|
||
|
|
||
|
config CONFIG_X509_MAX_CA_CERTS
|
||
|
int "Maximum number of certificate authorites"
|
||
|
default 150
|
||
|
depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
|
||
|
help
|
||
|
Determines the number of CA's allowed.
|
||
|
|
||
|
Increase this figure if more trusted sites are allowed. Each
|
||
|
certificate adds about 300 bytes (when added).
|
||
|
|
||
|
The default is to allow the Debian cert bundle to be parsed.
|
||
|
|
||
|
config CONFIG_SSL_MAX_CERTS
|
||
|
int "Maximum number of chained certificates"
|
||
|
default 3
|
||
|
help
|
||
|
Determines the number of certificates used in a certificate
|
||
|
chain. The chain length must be at least 1.
|
||
|
|
||
|
Increase this figure if more certificates are to be added to the
|
||
|
chain. Each certificate adds about 300 bytes (when added).
|
||
|
|
||
|
The default is to allow one certificate + 2 certificates in the chain.
|
||
|
|
||
|
config CONFIG_SSL_CTX_MUTEXING
|
||
|
bool "Enable SSL_CTX mutexing"
|
||
|
default n
|
||
|
help
|
||
|
Normally mutexing is not required - each SSL_CTX object can deal with
|
||
|
many SSL objects (as long as each SSL_CTX object is using a single
|
||
|
thread).
|
||
|
|
||
|
If the SSL_CTX object is not thread safe e.g. the case where a
|
||
|
new thread is created for each SSL object, then mutexing is required.
|
||
|
|
||
|
Select y when a mutex on the SSL_CTX object is required.
|
||
|
|
||
|
config CONFIG_USE_DEV_URANDOM
|
||
|
bool "Use /dev/urandom"
|
||
|
default y
|
||
|
depends on !CONFIG_PLATFORM_WIN32
|
||
|
help
|
||
|
Use /dev/urandom. Otherwise a custom RNG is used.
|
||
|
|
||
|
This will be the default on most Linux systems.
|
||
|
|
||
|
config CONFIG_WIN32_USE_CRYPTO_LIB
|
||
|
bool "Use Win32 Crypto Library"
|
||
|
depends on CONFIG_PLATFORM_WIN32
|
||
|
help
|
||
|
Microsoft produce a Crypto API which requires the Platform SDK to be
|
||
|
installed. It's used for the RNG.
|
||
|
|
||
|
This will be the default on most Win32 systems.
|
||
|
|
||
|
config CONFIG_OPENSSL_COMPATIBLE
|
||
|
bool "Enable openssl API compatibility"
|
||
|
default n
|
||
|
help
|
||
|
To ease the porting of openssl applications, a subset of the openssl
|
||
|
API is wrapped around the axTLS API.
|
||
|
|
||
|
Note: not all the API is implemented, so parts may still break. And
|
||
|
it's definitely not 100% compatible.
|
||
|
|
||
|
config CONFIG_PERFORMANCE_TESTING
|
||
|
bool "Build the bigint performance test tool"
|
||
|
default n
|
||
|
depends on CONFIG_SSL_CERT_VERIFICATION
|
||
|
help
|
||
|
Used for performance testing of bigint.
|
||
|
|
||
|
This is a testing tool and is normally disabled.
|
||
|
|
||
|
config CONFIG_SSL_TEST
|
||
|
bool "Build the SSL testing tool"
|
||
|
default n
|
||
|
depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT
|
||
|
help
|
||
|
Used for sanity checking the SSL handshaking.
|
||
|
|
||
|
This is a testing tool and is normally disabled.
|
||
|
|
||
|
endmenu
|