Annotation of embedaddon/axTLS/ssl/Config.in, revision 1.1
1.1 ! misho 1: #
! 2: # For a description of the syntax of this configuration file,
! 3: # see scripts/config/Kconfig-language.txt
! 4: #
! 5:
! 6: menu "SSL Library"
! 7:
! 8: choice
! 9: prompt "Mode"
! 10: default CONFIG_SSL_FULL_MODE
! 11:
! 12: config CONFIG_SSL_SERVER_ONLY
! 13: bool "Server only - no verification"
! 14: help
! 15: Enable server functionality (no client functionality).
! 16: This mode still supports sessions and chaining (which can be turned
! 17: off in configuration).
! 18:
! 19: The axssl sample runs with the minimum of features.
! 20:
! 21: This is the most space efficient of the modes with the library
! 22: about 45kB in size. Use this mode if you are doing standard SSL server
! 23: work.
! 24:
! 25: config CONFIG_SSL_CERT_VERIFICATION
! 26: bool "Server only - with verification"
! 27: help
! 28: Enable server functionality with client authentication (no client
! 29: functionality).
! 30:
! 31: The axssl sample runs with the "-verify" and "-CAfile" options.
! 32:
! 33: This mode produces a library about 49kB in size. Use this mode if you
! 34: have an SSL server which requires client authentication (which is
! 35: uncommon in browser applications).
! 36:
! 37: config CONFIG_SSL_ENABLE_CLIENT
! 38: bool "Client/Server enabled"
! 39: help
! 40: Enable client/server functionality (including peer authentication).
! 41:
! 42: The axssl sample runs with the "s_client" option enabled.
! 43:
! 44: This mode produces a library about 51kB in size. Use this mode if you
! 45: require axTLS to use SSL client functionality (the SSL server code
! 46: is always enabled).
! 47:
! 48: config CONFIG_SSL_FULL_MODE
! 49: bool "Client/Server enabled with diagnostics"
! 50: help
! 51: Enable client/server functionality including diagnostics. Most of the
! 52: extra size in this mode is due to the storage of various strings that
! 53: are used.
! 54:
! 55: The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa"
! 56:
! 57: This mode produces a library about 58kB in size. It is suggested that
! 58: this mode is used only during development, or systems that have more
! 59: generous memory limits.
! 60:
! 61: It is the default to demonstrate the features of axTLS.
! 62:
! 63: config CONFIG_SSL_SKELETON_MODE
! 64: bool "Skeleton mode - the smallest server mode"
! 65: help
! 66: This is an experiment to build the smallest library at the expense of
! 67: features and speed.
! 68:
! 69: * Server mode only.
! 70: * The AES cipher is disabled.
! 71: * No session resumption.
! 72: * No external keys/certificates are supported.
! 73: * The bigint library has most of the performance features disabled.
! 74: * Some other features/API calls may not work.
! 75:
! 76: This mode produces a library about 37kB in size. The main
! 77: disadvantage of this mode is speed - it will be much slower than the
! 78: other build modes.
! 79:
! 80: endchoice
! 81:
! 82: choice
! 83: prompt "Protocol Preference"
! 84: depends on !CONFIG_SSL_SKELETON_MODE
! 85: default CONFIG_SSL_PROT_MEDIUM
! 86:
! 87: config CONFIG_SSL_PROT_LOW
! 88: bool "Low"
! 89: help
! 90: Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA.
! 91:
! 92: This will use the fastest cipher(s) but at the expense of security.
! 93:
! 94: config CONFIG_SSL_PROT_MEDIUM
! 95: bool "Medium"
! 96: help
! 97: Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA.
! 98:
! 99: This mode is a balance between speed and security and is the default.
! 100:
! 101: config CONFIG_SSL_PROT_HIGH
! 102: bool "High"
! 103: help
! 104: Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA.
! 105:
! 106: This will use the strongest cipher(s) at the cost of speed.
! 107:
! 108: endchoice
! 109:
! 110: config CONFIG_SSL_USE_DEFAULT_KEY
! 111: bool "Enable default key"
! 112: depends on !CONFIG_SSL_SKELETON_MODE
! 113: default y
! 114: help
! 115: Some applications will not require the default private key/certificate
! 116: that is built in. This is one way to save on a couple of kB's if an
! 117: external private key/certificate is used.
! 118:
! 119: The private key is in ssl/private_key.h and the certificate is in
! 120: ssl/cert.h.
! 121:
! 122: The advantage of a built-in private key/certificate is that no file
! 123: system is required for access. Both the certificate and the private
! 124: key will be automatically loaded on a ssl_ctx_new().
! 125:
! 126: However this private key/certificate can never be changed (without a
! 127: code update).
! 128:
! 129: This mode is enabled by default. Disable this mode if the
! 130: built-in key/certificate is not used.
! 131:
! 132: config CONFIG_SSL_PRIVATE_KEY_LOCATION
! 133: string "Private key file location"
! 134: depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
! 135: help
! 136: The file location of the private key which will be automatically
! 137: loaded on a ssl_ctx_new().
! 138:
! 139: config CONFIG_SSL_PRIVATE_KEY_PASSWORD
! 140: string "Private key password"
! 141: depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM
! 142: help
! 143: The password required to decrypt a PEM-encoded password file.
! 144:
! 145: config CONFIG_SSL_X509_CERT_LOCATION
! 146: string "X.509 certificate file location"
! 147: depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
! 148: help
! 149: The file location of the X.509 certificate which will be automatically
! 150: loaded on a ssl_ctx_new().
! 151:
! 152: config CONFIG_SSL_GENERATE_X509_CERT
! 153: bool "Generate X.509 Certificate"
! 154: default n
! 155: help
! 156: An X.509 certificate can be automatically generated on a
! 157: ssl_ctx_new(). A private key still needs to be provided (the private
! 158: key in ss/private_key.h will be used unless
! 159: CONFIG_SSL_PRIVATE_KEY_LOCATION is set).
! 160:
! 161: The certificate is generated on the fly, and so a minor start-up time
! 162: penalty is to be expected. This feature adds around 5kB to the
! 163: library.
! 164:
! 165: This feature is disabled by default.
! 166:
! 167: config CONFIG_SSL_X509_COMMON_NAME
! 168: string "X.509 Common Name"
! 169: depends on CONFIG_SSL_GENERATE_X509_CERT
! 170: help
! 171: The common name for the X.509 certificate. This should be the fully
! 172: qualified domain name (FQDN), e.g. www.foo.com.
! 173:
! 174: If this is blank, then this will be value from gethostname() and
! 175: getdomainname().
! 176:
! 177: config CONFIG_SSL_X509_ORGANIZATION_NAME
! 178: string "X.509 Organization Name"
! 179: depends on CONFIG_SSL_GENERATE_X509_CERT
! 180: help
! 181: The organization name for the generated X.509 certificate.
! 182:
! 183: This field is optional.
! 184:
! 185: config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
! 186: string "X.509 Organization Unit Name"
! 187: depends on CONFIG_SSL_GENERATE_X509_CERT
! 188: help
! 189: The organization unit name for the generated X.509 certificate.
! 190:
! 191: This field is optional.
! 192:
! 193: config CONFIG_SSL_ENABLE_V23_HANDSHAKE
! 194: bool "Enable v23 Handshake"
! 195: default n
! 196: help
! 197: Some browsers use the v23 handshake client hello message
! 198: (an SSL2 format message which all SSL servers can understand).
! 199: It may be used if SSL2 is enabled in the browser.
! 200:
! 201: Since this feature takes a kB or so, this feature may be disabled - at
! 202: the risk of making it incompatible with some browsers (IE6 is ok,
! 203: Firefox 1.5 and below use it).
! 204:
! 205: Disable if backwards compatibility is not an issue (i.e. the client is
! 206: always using TLS1.0)
! 207:
! 208: config CONFIG_SSL_HAS_PEM
! 209: bool "Enable PEM"
! 210: default n if !CONFIG_SSL_FULL_MODE
! 211: default y if CONFIG_SSL_FULL_MODE
! 212: depends on !CONFIG_SSL_SKELETON_MODE
! 213: help
! 214: Enable the use of PEM format for certificates and private keys.
! 215:
! 216: PEM is not normally needed - PEM files can be converted into DER files
! 217: quite easily. However they have the convenience of allowing multiple
! 218: certificates/keys in the same file.
! 219:
! 220: This feature will add a couple of kB to the library.
! 221:
! 222: Disable if PEM is not used (which will be in most cases).
! 223:
! 224: config CONFIG_SSL_USE_PKCS12
! 225: bool "Use PKCS8/PKCS12"
! 226: default n if !CONFIG_SSL_FULL_MODE
! 227: default y if CONFIG_SSL_FULL_MODE
! 228: depends on !CONFIG_SSL_SKELETON_MODE
! 229: help
! 230: PKCS#12 certificates combine private keys and certificates together in
! 231: one file.
! 232:
! 233: PKCS#8 private keys are also suppported (as it is a subset of PKCS#12).
! 234:
! 235: The decryption of these certificates uses RC4-128 (and these
! 236: certificates must be encrypted using this cipher). The actual
! 237: algorithm is "PBE-SHA1-RC4-128".
! 238:
! 239: Disable if PKCS#12 is not used (which will be in most cases).
! 240:
! 241: config CONFIG_SSL_EXPIRY_TIME
! 242: int "Session expiry time (in hours)"
! 243: depends on !CONFIG_SSL_SKELETON_MODE
! 244: default 24
! 245: help
! 246: The time (in hours) before a session expires.
! 247:
! 248: A longer time means that the expensive parts of a handshake don't
! 249: need to be run when a client reconnects later.
! 250:
! 251: The default is 1 day.
! 252:
! 253: config CONFIG_X509_MAX_CA_CERTS
! 254: int "Maximum number of certificate authorites"
! 255: default 150
! 256: depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
! 257: help
! 258: Determines the number of CA's allowed.
! 259:
! 260: Increase this figure if more trusted sites are allowed. Each
! 261: certificate adds about 300 bytes (when added).
! 262:
! 263: The default is to allow the Debian cert bundle to be parsed.
! 264:
! 265: config CONFIG_SSL_MAX_CERTS
! 266: int "Maximum number of chained certificates"
! 267: default 3
! 268: help
! 269: Determines the number of certificates used in a certificate
! 270: chain. The chain length must be at least 1.
! 271:
! 272: Increase this figure if more certificates are to be added to the
! 273: chain. Each certificate adds about 300 bytes (when added).
! 274:
! 275: The default is to allow one certificate + 2 certificates in the chain.
! 276:
! 277: config CONFIG_SSL_CTX_MUTEXING
! 278: bool "Enable SSL_CTX mutexing"
! 279: default n
! 280: help
! 281: Normally mutexing is not required - each SSL_CTX object can deal with
! 282: many SSL objects (as long as each SSL_CTX object is using a single
! 283: thread).
! 284:
! 285: If the SSL_CTX object is not thread safe e.g. the case where a
! 286: new thread is created for each SSL object, then mutexing is required.
! 287:
! 288: Select y when a mutex on the SSL_CTX object is required.
! 289:
! 290: config CONFIG_USE_DEV_URANDOM
! 291: bool "Use /dev/urandom"
! 292: default y
! 293: depends on !CONFIG_PLATFORM_WIN32
! 294: help
! 295: Use /dev/urandom. Otherwise a custom RNG is used.
! 296:
! 297: This will be the default on most Linux systems.
! 298:
! 299: config CONFIG_WIN32_USE_CRYPTO_LIB
! 300: bool "Use Win32 Crypto Library"
! 301: depends on CONFIG_PLATFORM_WIN32
! 302: help
! 303: Microsoft produce a Crypto API which requires the Platform SDK to be
! 304: installed. It's used for the RNG.
! 305:
! 306: This will be the default on most Win32 systems.
! 307:
! 308: config CONFIG_OPENSSL_COMPATIBLE
! 309: bool "Enable openssl API compatibility"
! 310: default n
! 311: help
! 312: To ease the porting of openssl applications, a subset of the openssl
! 313: API is wrapped around the axTLS API.
! 314:
! 315: Note: not all the API is implemented, so parts may still break. And
! 316: it's definitely not 100% compatible.
! 317:
! 318: config CONFIG_PERFORMANCE_TESTING
! 319: bool "Build the bigint performance test tool"
! 320: default n
! 321: depends on CONFIG_SSL_CERT_VERIFICATION
! 322: help
! 323: Used for performance testing of bigint.
! 324:
! 325: This is a testing tool and is normally disabled.
! 326:
! 327: config CONFIG_SSL_TEST
! 328: bool "Build the SSL testing tool"
! 329: default n
! 330: depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT
! 331: help
! 332: Used for sanity checking the SSL handshaking.
! 333:
! 334: This is a testing tool and is normally disabled.
! 335:
! 336: endmenu
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>