//config CONFIG_SSL_SERVER_ONLY // bool "Server only - no verification" // help // Enable server functionality (no client functionality). // This mode still supports sessions and chaining (which can be turned // off in configuration). // // The axssl sample runs with the minimum of features. // // This is the most space efficient of the modes with the library // about 45kB in size. Use this mode if you are doing standard SSL server // work. //config CONFIG_SSL_CERT_VERIFICATION // bool "Server only - with verification" // help // Enable server functionality with client authentication (no client // functionality). // // The axssl sample runs with the "-verify" and "-CAfile" options. // // This mode produces a library about 49kB in size. Use this mode if you // have an SSL server which requires client authentication (which is // uncommon in browser applications). //config CONFIG_SSL_ENABLE_CLIENT // bool "Client/Server enabled" // help // Enable client/server functionality (including peer authentication). // // The axssl sample runs with the "s_client" option enabled. // // This mode produces a library about 51kB in size. Use this mode if you // require axTLS to use SSL client functionality (the SSL server code // is always enabled). #define CONFIG_SSL_FULL_MODE //config CONFIG_SSL_FULL_MODE // bool "Client/Server enabled with diagnostics" // help // Enable client/server functionality including diagnostics. Most of the // extra size in this mode is due to the storage of various strings that // are used. // // The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa" // // This mode produces a library about 58kB in size. It is suggested that // this mode is used only during development, or systems that have more // generous memory limits. // // It is the default to demonstrate the features of axTLS. //config CONFIG_SSL_SKELETON_MODE // bool "Skeleton mode - the smallest server mode" // help // This is an experiment to build the smallest library at the expense of // features and speed. // // * Server mode only. // * The AES cipher is disabled. // * No session resumption. // * No external keys/certificates are supported. // * The bigint library has most of the performance features disabled. // * Some other features/API calls may not work. // // This mode produces a library about 37kB in size. The main // disadvantage of this mode is speed - it will be much slower than the // other build modes. //choice // prompt "Protocol Preference" // depends on !CONFIG_SSL_SKELETON_MODE // default CONFIG_SSL_PROT_MEDIUM // //config CONFIG_SSL_PROT_LOW // bool "Low" // help // Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA. // // This will use the fastest cipher(s) but at the expense of security. // #define CONFIG_SSL_PROT_MEDIUM 1 //config CONFIG_SSL_PROT_MEDIUM // bool "Medium" // help // Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA. // // This mode is a balance between speed and security and is the default. // //config CONFIG_SSL_PROT_HIGH // bool "High" // help // Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA. // // This will use the strongest cipher(s) at the cost of speed. #define CONFIG_SSL_USE_DEFAULT_KEY 1 //config CONFIG_SSL_USE_DEFAULT_KEY // bool "Enable default key" // depends on !CONFIG_SSL_SKELETON_MODE // default y // help // Some applications will not require the default private key/certificate // that is built in. This is one way to save on a couple of kB's if an // external private key/certificate is used. // // The private key is in ssl/private_key.h and the certificate is in // ssl/cert.h. // // The advantage of a built-in private key/certificate is that no file // system is required for access. Both the certificate and the private // key will be automatically loaded on a ssl_ctx_new(). // // However this private key/certificate can never be changed (without a // code update). // // This mode is enabled by default. Disable this mode if the // built-in key/certificate is not used. // #define CONFIG_SSL_PRIVATE_KEY_LOCATION "" //"axTLS.key" //config CONFIG_SSL_PRIVATE_KEY_LOCATION // string "Private key file location" // depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE // help // The file location of the private key which will be automatically // loaded on a ssl_ctx_new(). // #define CONFIG_SSL_PRIVATE_KEY_PASSWORD "" //config CONFIG_SSL_PRIVATE_KEY_PASSWORD // string "Private key password" // depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM // help // The password required to decrypt a PEM-encoded password file. // #define CONFIG_SSL_X509_CERT_LOCATION "" //"axTLS_x509.cer" //config CONFIG_SSL_X509_CERT_LOCATION // string "X.509 certificate file location" // depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE // help // The file location of the X.509 certificate which will be automatically // loaded on a ssl_ctx_new(). // //config CONFIG_SSL_GENERATE_X509_CERT // bool "Generate X.509 Certificate" // default n // help // An X.509 certificate can be automatically generated on a // ssl_ctx_new(). A private key still needs to be provided (the private // key in ss/private_key.h will be used unless // CONFIG_SSL_PRIVATE_KEY_LOCATION is set). // // The certificate is generated on the fly, and so a minor start-up time // penalty is to be expected. This feature adds around 5kB to the // library. // // This feature is disabled by default. // //config CONFIG_SSL_X509_COMMON_NAME // string "X.509 Common Name" // depends on CONFIG_SSL_GENERATE_X509_CERT // help // The common name for the X.509 certificate. This should be the fully // qualified domain name (FQDN), e.g. www.foo.com. // // If this is blank, then this will be value from gethostname() and // getdomainname(). // //config CONFIG_SSL_X509_ORGANIZATION_NAME // string "X.509 Organization Name" // depends on CONFIG_SSL_GENERATE_X509_CERT // help // The organization name for the generated X.509 certificate. // // This field is optional. // //config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME // string "X.509 Organization Unit Name" // depends on CONFIG_SSL_GENERATE_X509_CERT // help // The organization unit name for the generated X.509 certificate. // // This field is optional. //config CONFIG_SSL_ENABLE_V23_HANDSHAKE // bool "Enable v23 Handshake" // default y // help // Some browsers use the v23 handshake client hello message // (an SSL2 format message which all SSL servers can understand). // It may be used if SSL2 is enabled in the browser. // // Since this feature takes a kB or so, this feature may be disabled - at // the risk of making it incompatible with some browsers (IE6 is ok, // Firefox 1.5 and below use it). // // Disable if backwards compatibility is not an issue (i.e. the client is // always using TLS1.0) #define CONFIG_SSL_HAS_PEM 1 //config CONFIG_SSL_HAS_PEM // bool "Enable PEM" // default n if !CONFIG_SSL_FULL_MODE // default y if CONFIG_SSL_FULL_MODE // depends on !CONFIG_SSL_SKELETON_MODE // help // Enable the use of PEM format for certificates and private keys. // // PEM is not normally needed - PEM files can be converted into DER files // quite easily. However they have the convenience of allowing multiple // certificates/keys in the same file. // // This feature will add a couple of kB to the library. // // Disable if PEM is not used (which will be in most cases). #define CONFIG_SSL_USE_PKCS12 1 //config CONFIG_SSL_USE_PKCS12 // bool "Use PKCS8/PKCS12" // default n if !CONFIG_SSL_FULL_MODE // default y if CONFIG_SSL_FULL_MODE // depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE // help // PKCS#12 certificates combine private keys and certificates together in // one file. // // PKCS#8 private keys are also suppported (as it is a subset of PKCS#12). // // The decryption of these certificates uses RC4-128 (and these // certificates must be encrypted using this cipher). The actual // algorithm is "PBE-SHA1-RC4-128". // // Disable if PKCS#12 is not used (which will be in most cases). #define CONFIG_SSL_EXPIRY_TIME 24 //config CONFIG_SSL_EXPIRY_TIME // int "Session expiry time (in hours)" // depends on !CONFIG_SSL_SKELETON_MODE // default 24 // help // The time (in hours) before a session expires. // // A longer time means that the expensive parts of a handshake don't // need to be run when a client reconnects later. // // The default is 1 day. // #define CONFIG_X509_MAX_CA_CERTS 4 //config CONFIG_X509_MAX_CA_CERTS // int "Maximum number of certificate authorites" // default 4 // depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE // help // Determines the number of CA's allowed. // // Increase this figure if more trusted sites are allowed. Each // certificate adds about 300 bytes (when added). // // The default is to allow four certification authorities. // #define CONFIG_SSL_MAX_CERTS 2 //config CONFIG_SSL_MAX_CERTS // int "Maximum number of chained certificates" // default 2 // help // Determines the number of certificates used in a certificate // chain. The chain length must be at least 1. // // Increase this figure if more certificates are to be added to the // chain. Each certificate adds about 300 bytes (when added). // // The default is to allow one certificate + 1 certificate in the chain // (which may be the certificate authority certificate). // #define CONFIG_SSL_CTX_MUTEXING 1 //config CONFIG_SSL_CTX_MUTEXING // bool "Enable SSL_CTX mutexing" // default n // help // Normally mutexing is not required - each SSL_CTX object can deal with // many SSL objects (as long as each SSL_CTX object is using a single // thread). // // If the SSL_CTX object is not thread safe e.g. the case where a // new thread is created for each SSL object, then mutexing is required. // // Select y when a mutex on the SSL_CTX object is required. // //config CONFIG_USE_DEV_URANDOM // bool "Use /dev/urandom" // default y // depends on !CONFIG_PLATFORM_WIN32 // help // Use /dev/urandom. Otherwise a custom RNG is used. // // This will be the default on most Linux systems. // //config CONFIG_WIN32_USE_CRYPTO_LIB // bool "Use Win32 Crypto Library" // depends on CONFIG_PLATFORM_WIN32 // help // Microsoft produce a Crypto API which requires the Platform SDK to be // installed. It's used for the RNG. // // This will be the default on most Win32 systems. // //config CONFIG_OPENSSL_COMPATIBLE // bool "Enable openssl API compatibility" // default n // help // To ease the porting of openssl applications, a subset of the openssl // API is wrapped around the axTLS API. // // Note: not all the API is implemented, so parts may still break. And // it's definitely not 100% compatible. // //config CONFIG_PERFORMANCE_TESTING // bool "Build the bigint performance test tool" // default n // help // Used for performance testing of bigint. // // This is a testing tool and is normally disabled. // //config CONFIG_SSL_TEST // bool "Build the SSL testing tool" // default n // depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT // help // Used for sanity checking the SSL handshaking. // // This is a testing tool and is normally disabled.