1: #
2: # For a description of the syntax of this configuration file,
3: # see scripts/config/Kconfig-language.txt
4: #
5:
6: menu "SSL Library"
7:
8: choice
9: prompt "Mode"
10: default CONFIG_SSL_FULL_MODE
11:
12: config CONFIG_SSL_SERVER_ONLY
13: bool "Server only - no verification"
14: help
15: Enable server functionality (no client functionality).
16: This mode still supports sessions and chaining (which can be turned
17: off in configuration).
18:
19: The axssl sample runs with the minimum of features.
20:
21: This is the most space efficient of the modes with the library
22: about 45kB in size. Use this mode if you are doing standard SSL server
23: work.
24:
25: config CONFIG_SSL_CERT_VERIFICATION
26: bool "Server only - with verification"
27: help
28: Enable server functionality with client authentication (no client
29: functionality).
30:
31: The axssl sample runs with the "-verify" and "-CAfile" options.
32:
33: This mode produces a library about 49kB in size. Use this mode if you
34: have an SSL server which requires client authentication (which is
35: uncommon in browser applications).
36:
37: config CONFIG_SSL_ENABLE_CLIENT
38: bool "Client/Server enabled"
39: help
40: Enable client/server functionality (including peer authentication).
41:
42: The axssl sample runs with the "s_client" option enabled.
43:
44: This mode produces a library about 51kB in size. Use this mode if you
45: require axTLS to use SSL client functionality (the SSL server code
46: is always enabled).
47:
48: config CONFIG_SSL_FULL_MODE
49: bool "Client/Server enabled with diagnostics"
50: help
51: Enable client/server functionality including diagnostics. Most of the
52: extra size in this mode is due to the storage of various strings that
53: are used.
54:
55: The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa"
56:
57: This mode produces a library about 58kB in size. It is suggested that
58: this mode is used only during development, or systems that have more
59: generous memory limits.
60:
61: It is the default to demonstrate the features of axTLS.
62:
63: config CONFIG_SSL_SKELETON_MODE
64: bool "Skeleton mode - the smallest server mode"
65: help
66: This is an experiment to build the smallest library at the expense of
67: features and speed.
68:
69: * Server mode only.
70: * The AES cipher is disabled.
71: * No session resumption.
72: * No external keys/certificates are supported.
73: * The bigint library has most of the performance features disabled.
74: * Some other features/API calls may not work.
75:
76: This mode produces a library about 37kB in size. The main
77: disadvantage of this mode is speed - it will be much slower than the
78: other build modes.
79:
80: endchoice
81:
82: choice
83: prompt "Protocol Preference"
84: depends on !CONFIG_SSL_SKELETON_MODE
85: default CONFIG_SSL_PROT_MEDIUM
86:
87: config CONFIG_SSL_PROT_LOW
88: bool "Low"
89: help
90: Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA.
91:
92: This will use the fastest cipher(s) but at the expense of security.
93:
94: config CONFIG_SSL_PROT_MEDIUM
95: bool "Medium"
96: help
97: Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA.
98:
99: This mode is a balance between speed and security and is the default.
100:
101: config CONFIG_SSL_PROT_HIGH
102: bool "High"
103: help
104: Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA.
105:
106: This will use the strongest cipher(s) at the cost of speed.
107:
108: endchoice
109:
110: config CONFIG_SSL_USE_DEFAULT_KEY
111: bool "Enable default key"
112: depends on !CONFIG_SSL_SKELETON_MODE
113: default y
114: help
115: Some applications will not require the default private key/certificate
116: that is built in. This is one way to save on a couple of kB's if an
117: external private key/certificate is used.
118:
119: The private key is in ssl/private_key.h and the certificate is in
120: ssl/cert.h.
121:
122: The advantage of a built-in private key/certificate is that no file
123: system is required for access. Both the certificate and the private
124: key will be automatically loaded on a ssl_ctx_new().
125:
126: However this private key/certificate can never be changed (without a
127: code update).
128:
129: This mode is enabled by default. Disable this mode if the
130: built-in key/certificate is not used.
131:
132: config CONFIG_SSL_PRIVATE_KEY_LOCATION
133: string "Private key file location"
134: depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
135: help
136: The file location of the private key which will be automatically
137: loaded on a ssl_ctx_new().
138:
139: config CONFIG_SSL_PRIVATE_KEY_PASSWORD
140: string "Private key password"
141: depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM
142: help
143: The password required to decrypt a PEM-encoded password file.
144:
145: config CONFIG_SSL_X509_CERT_LOCATION
146: string "X.509 certificate file location"
147: depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
148: help
149: The file location of the X.509 certificate which will be automatically
150: loaded on a ssl_ctx_new().
151:
152: config CONFIG_SSL_GENERATE_X509_CERT
153: bool "Generate X.509 Certificate"
154: default n
155: help
156: An X.509 certificate can be automatically generated on a
157: ssl_ctx_new(). A private key still needs to be provided (the private
158: key in ss/private_key.h will be used unless
159: CONFIG_SSL_PRIVATE_KEY_LOCATION is set).
160:
161: The certificate is generated on the fly, and so a minor start-up time
162: penalty is to be expected. This feature adds around 5kB to the
163: library.
164:
165: This feature is disabled by default.
166:
167: config CONFIG_SSL_X509_COMMON_NAME
168: string "X.509 Common Name"
169: depends on CONFIG_SSL_GENERATE_X509_CERT
170: help
171: The common name for the X.509 certificate. This should be the fully
172: qualified domain name (FQDN), e.g. www.foo.com.
173:
174: If this is blank, then this will be value from gethostname() and
175: getdomainname().
176:
177: config CONFIG_SSL_X509_ORGANIZATION_NAME
178: string "X.509 Organization Name"
179: depends on CONFIG_SSL_GENERATE_X509_CERT
180: help
181: The organization name for the generated X.509 certificate.
182:
183: This field is optional.
184:
185: config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
186: string "X.509 Organization Unit Name"
187: depends on CONFIG_SSL_GENERATE_X509_CERT
188: help
189: The organization unit name for the generated X.509 certificate.
190:
191: This field is optional.
192:
193: config CONFIG_SSL_ENABLE_V23_HANDSHAKE
194: bool "Enable v23 Handshake"
195: default n
196: help
197: Some browsers use the v23 handshake client hello message
198: (an SSL2 format message which all SSL servers can understand).
199: It may be used if SSL2 is enabled in the browser.
200:
201: Since this feature takes a kB or so, this feature may be disabled - at
202: the risk of making it incompatible with some browsers (IE6 is ok,
203: Firefox 1.5 and below use it).
204:
205: Disable if backwards compatibility is not an issue (i.e. the client is
206: always using TLS1.0)
207:
208: config CONFIG_SSL_HAS_PEM
209: bool "Enable PEM"
210: default n if !CONFIG_SSL_FULL_MODE
211: default y if CONFIG_SSL_FULL_MODE
212: depends on !CONFIG_SSL_SKELETON_MODE
213: help
214: Enable the use of PEM format for certificates and private keys.
215:
216: PEM is not normally needed - PEM files can be converted into DER files
217: quite easily. However they have the convenience of allowing multiple
218: certificates/keys in the same file.
219:
220: This feature will add a couple of kB to the library.
221:
222: Disable if PEM is not used (which will be in most cases).
223:
224: config CONFIG_SSL_USE_PKCS12
225: bool "Use PKCS8/PKCS12"
226: default n if !CONFIG_SSL_FULL_MODE
227: default y if CONFIG_SSL_FULL_MODE
228: depends on !CONFIG_SSL_SKELETON_MODE
229: help
230: PKCS#12 certificates combine private keys and certificates together in
231: one file.
232:
233: PKCS#8 private keys are also suppported (as it is a subset of PKCS#12).
234:
235: The decryption of these certificates uses RC4-128 (and these
236: certificates must be encrypted using this cipher). The actual
237: algorithm is "PBE-SHA1-RC4-128".
238:
239: Disable if PKCS#12 is not used (which will be in most cases).
240:
241: config CONFIG_SSL_EXPIRY_TIME
242: int "Session expiry time (in hours)"
243: depends on !CONFIG_SSL_SKELETON_MODE
244: default 24
245: help
246: The time (in hours) before a session expires.
247:
248: A longer time means that the expensive parts of a handshake don't
249: need to be run when a client reconnects later.
250:
251: The default is 1 day.
252:
253: config CONFIG_X509_MAX_CA_CERTS
254: int "Maximum number of certificate authorites"
255: default 150
256: depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
257: help
258: Determines the number of CA's allowed.
259:
260: Increase this figure if more trusted sites are allowed. Each
261: certificate adds about 300 bytes (when added).
262:
263: The default is to allow the Debian cert bundle to be parsed.
264:
265: config CONFIG_SSL_MAX_CERTS
266: int "Maximum number of chained certificates"
267: default 3
268: help
269: Determines the number of certificates used in a certificate
270: chain. The chain length must be at least 1.
271:
272: Increase this figure if more certificates are to be added to the
273: chain. Each certificate adds about 300 bytes (when added).
274:
275: The default is to allow one certificate + 2 certificates in the chain.
276:
277: config CONFIG_SSL_CTX_MUTEXING
278: bool "Enable SSL_CTX mutexing"
279: default n
280: help
281: Normally mutexing is not required - each SSL_CTX object can deal with
282: many SSL objects (as long as each SSL_CTX object is using a single
283: thread).
284:
285: If the SSL_CTX object is not thread safe e.g. the case where a
286: new thread is created for each SSL object, then mutexing is required.
287:
288: Select y when a mutex on the SSL_CTX object is required.
289:
290: config CONFIG_USE_DEV_URANDOM
291: bool "Use /dev/urandom"
292: default y
293: depends on !CONFIG_PLATFORM_WIN32
294: help
295: Use /dev/urandom. Otherwise a custom RNG is used.
296:
297: This will be the default on most Linux systems.
298:
299: config CONFIG_WIN32_USE_CRYPTO_LIB
300: bool "Use Win32 Crypto Library"
301: depends on CONFIG_PLATFORM_WIN32
302: help
303: Microsoft produce a Crypto API which requires the Platform SDK to be
304: installed. It's used for the RNG.
305:
306: This will be the default on most Win32 systems.
307:
308: config CONFIG_OPENSSL_COMPATIBLE
309: bool "Enable openssl API compatibility"
310: default n
311: help
312: To ease the porting of openssl applications, a subset of the openssl
313: API is wrapped around the axTLS API.
314:
315: Note: not all the API is implemented, so parts may still break. And
316: it's definitely not 100% compatible.
317:
318: config CONFIG_PERFORMANCE_TESTING
319: bool "Build the bigint performance test tool"
320: default n
321: depends on CONFIG_SSL_CERT_VERIFICATION
322: help
323: Used for performance testing of bigint.
324:
325: This is a testing tool and is normally disabled.
326:
327: config CONFIG_SSL_TEST
328: bool "Build the SSL testing tool"
329: default n
330: depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT
331: help
332: Used for sanity checking the SSL handshaking.
333:
334: This is a testing tool and is normally disabled.
335:
336: endmenu
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to Config.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / axTLS / ssl