1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
|
#
# For a description of the syntax of this configuration file,
# see scripts/config/Kconfig-language.txt
#
menu "SSL Library"
choice
prompt "Mode"
default CONFIG_SSL_FULL_MODE
config CONFIG_SSL_SERVER_ONLY
bool "Server only - no verification"
help
Enable server functionality (no client functionality).
This mode still supports sessions and chaining (which can be turned
off in configuration).
The axssl sample runs with the minimum of features.
This is the most space efficient of the modes with the library
about 45kB in size. Use this mode if you are doing standard SSL server
work.
config CONFIG_SSL_CERT_VERIFICATION
bool "Server only - with verification"
help
Enable server functionality with client authentication (no client
functionality).
The axssl sample runs with the "-verify" and "-CAfile" options.
This mode produces a library about 49kB in size. Use this mode if you
have an SSL server which requires client authentication (which is
uncommon in browser applications).
config CONFIG_SSL_ENABLE_CLIENT
bool "Client/Server enabled"
help
Enable client/server functionality (including peer authentication).
The axssl sample runs with the "s_client" option enabled.
This mode produces a library about 51kB in size. Use this mode if you
require axTLS to use SSL client functionality (the SSL server code
is always enabled).
config CONFIG_SSL_FULL_MODE
bool "Client/Server enabled with diagnostics"
help
Enable client/server functionality including diagnostics. Most of the
extra size in this mode is due to the storage of various strings that
are used.
The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa"
This mode produces a library about 58kB in size. It is suggested that
this mode is used only during development, or systems that have more
generous memory limits.
It is the default to demonstrate the features of axTLS.
config CONFIG_SSL_SKELETON_MODE
bool "Skeleton mode - the smallest server mode"
help
This is an experiment to build the smallest library at the expense of
features and speed.
* Server mode only.
* The AES cipher is disabled.
* No session resumption.
* No external keys/certificates are supported.
* The bigint library has most of the performance features disabled.
* Some other features/API calls may not work.
This mode produces a library about 37kB in size. The main
disadvantage of this mode is speed - it will be much slower than the
other build modes.
endchoice
choice
prompt "Protocol Preference"
depends on !CONFIG_SSL_SKELETON_MODE
default CONFIG_SSL_PROT_MEDIUM
config CONFIG_SSL_PROT_LOW
bool "Low"
help
Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA.
This will use the fastest cipher(s) but at the expense of security.
config CONFIG_SSL_PROT_MEDIUM
bool "Medium"
help
Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA.
This mode is a balance between speed and security and is the default.
config CONFIG_SSL_PROT_HIGH
bool "High"
help
Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA.
This will use the strongest cipher(s) at the cost of speed.
endchoice
config CONFIG_SSL_USE_DEFAULT_KEY
bool "Enable default key"
depends on !CONFIG_SSL_SKELETON_MODE
default y
help
Some applications will not require the default private key/certificate
that is built in. This is one way to save on a couple of kB's if an
external private key/certificate is used.
The private key is in ssl/private_key.h and the certificate is in
ssl/cert.h.
The advantage of a built-in private key/certificate is that no file
system is required for access. Both the certificate and the private
key will be automatically loaded on a ssl_ctx_new().
However this private key/certificate can never be changed (without a
code update).
This mode is enabled by default. Disable this mode if the
built-in key/certificate is not used.
config CONFIG_SSL_PRIVATE_KEY_LOCATION
string "Private key file location"
depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
help
The file location of the private key which will be automatically
loaded on a ssl_ctx_new().
config CONFIG_SSL_PRIVATE_KEY_PASSWORD
string "Private key password"
depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM
help
The password required to decrypt a PEM-encoded password file.
config CONFIG_SSL_X509_CERT_LOCATION
string "X.509 certificate file location"
depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
help
The file location of the X.509 certificate which will be automatically
loaded on a ssl_ctx_new().
config CONFIG_SSL_GENERATE_X509_CERT
bool "Generate X.509 Certificate"
default n
help
An X.509 certificate can be automatically generated on a
ssl_ctx_new(). A private key still needs to be provided (the private
key in ss/private_key.h will be used unless
CONFIG_SSL_PRIVATE_KEY_LOCATION is set).
The certificate is generated on the fly, and so a minor start-up time
penalty is to be expected. This feature adds around 5kB to the
library.
This feature is disabled by default.
config CONFIG_SSL_X509_COMMON_NAME
string "X.509 Common Name"
depends on CONFIG_SSL_GENERATE_X509_CERT
help
The common name for the X.509 certificate. This should be the fully
qualified domain name (FQDN), e.g. www.foo.com.
If this is blank, then this will be value from gethostname() and
getdomainname().
config CONFIG_SSL_X509_ORGANIZATION_NAME
string "X.509 Organization Name"
depends on CONFIG_SSL_GENERATE_X509_CERT
help
The organization name for the generated X.509 certificate.
This field is optional.
config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
string "X.509 Organization Unit Name"
depends on CONFIG_SSL_GENERATE_X509_CERT
help
The organization unit name for the generated X.509 certificate.
This field is optional.
config CONFIG_SSL_ENABLE_V23_HANDSHAKE
bool "Enable v23 Handshake"
default y
help
Some browsers use the v23 handshake client hello message
(an SSL2 format message which all SSL servers can understand).
It may be used if SSL2 is enabled in the browser.
Since this feature takes a kB or so, this feature may be disabled - at
the risk of making it incompatible with some browsers (IE6 is ok,
Firefox 1.5 and below use it).
Disable if backwards compatibility is not an issue (i.e. the client is
always using TLS1.0)
config CONFIG_SSL_HAS_PEM
bool "Enable PEM"
default n if !CONFIG_SSL_FULL_MODE
default y if CONFIG_SSL_FULL_MODE
depends on !CONFIG_SSL_SKELETON_MODE
help
Enable the use of PEM format for certificates and private keys.
PEM is not normally needed - PEM files can be converted into DER files
quite easily. However they have the convenience of allowing multiple
certificates/keys in the same file.
This feature will add a couple of kB to the library.
Disable if PEM is not used (which will be in most cases).
config CONFIG_SSL_USE_PKCS12
bool "Use PKCS8/PKCS12"
default n if !CONFIG_SSL_FULL_MODE
default y if CONFIG_SSL_FULL_MODE
depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
help
PKCS#12 certificates combine private keys and certificates together in
one file.
PKCS#8 private keys are also suppported (as it is a subset of PKCS#12).
The decryption of these certificates uses RC4-128 (and these
certificates must be encrypted using this cipher). The actual
algorithm is "PBE-SHA1-RC4-128".
Disable if PKCS#12 is not used (which will be in most cases).
config CONFIG_SSL_EXPIRY_TIME
int "Session expiry time (in hours)"
depends on !CONFIG_SSL_SKELETON_MODE
default 24
help
The time (in hours) before a session expires.
A longer time means that the expensive parts of a handshake don't
need to be run when a client reconnects later.
The default is 1 day.
config CONFIG_X509_MAX_CA_CERTS
int "Maximum number of certificate authorites"
default 4
depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
help
Determines the number of CA's allowed.
Increase this figure if more trusted sites are allowed. Each
certificate adds about 300 bytes (when added).
The default is to allow four certification authorities.
config CONFIG_SSL_MAX_CERTS
int "Maximum number of chained certificates"
default 2
help
Determines the number of certificates used in a certificate
chain. The chain length must be at least 1.
Increase this figure if more certificates are to be added to the
chain. Each certificate adds about 300 bytes (when added).
The default is to allow one certificate + 1 certificate in the chain
(which may be the certificate authority certificate).
config CONFIG_SSL_CTX_MUTEXING
bool "Enable SSL_CTX mutexing"
default n
help
Normally mutexing is not required - each SSL_CTX object can deal with
many SSL objects (as long as each SSL_CTX object is using a single
thread).
If the SSL_CTX object is not thread safe e.g. the case where a
new thread is created for each SSL object, then mutexing is required.
Select y when a mutex on the SSL_CTX object is required.
config CONFIG_USE_DEV_URANDOM
bool "Use /dev/urandom"
default y
depends on !CONFIG_PLATFORM_WIN32
help
Use /dev/urandom. Otherwise a custom RNG is used.
This will be the default on most Linux systems.
config CONFIG_WIN32_USE_CRYPTO_LIB
bool "Use Win32 Crypto Library"
depends on CONFIG_PLATFORM_WIN32
help
Microsoft produce a Crypto API which requires the Platform SDK to be
installed. It's used for the RNG.
This will be the default on most Win32 systems.
config CONFIG_OPENSSL_COMPATIBLE
bool "Enable openssl API compatibility"
default n
help
To ease the porting of openssl applications, a subset of the openssl
API is wrapped around the axTLS API.
Note: not all the API is implemented, so parts may still break. And
it's definitely not 100% compatible.
config CONFIG_PERFORMANCE_TESTING
bool "Build the bigint performance test tool"
default n
help
Used for performance testing of bigint.
This is a testing tool and is normally disabled.
config CONFIG_SSL_TEST
bool "Build the SSL testing tool"
default n
depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT
help
Used for sanity checking the SSL handshaking.
This is a testing tool and is normally disabled.
endmenu
|
