mirror of
https://github.com/espressif/ESP8266_RTOS_SDK.git
synced 2025-05-21 09:05:59 +08:00
566 lines
16 KiB
Plaintext
566 lines
16 KiB
Plaintext
menu "SSL"
|
|
|
|
choice SSL_LIBRARY_CHOOSE
|
|
prompt "Choose SSL/TLS library"
|
|
default SSL_USING_MBEDTLS
|
|
help
|
|
Choose the SSL/TLS library which you want to use.
|
|
|
|
Currently we support mbedTLS and axTLS.
|
|
|
|
config SSL_USING_MBEDTLS
|
|
bool "mbedTLS"
|
|
config SSL_USING_AXTLS
|
|
bool "axTLS"
|
|
config SSL_USING_WOLFSSL
|
|
bool "wolfSSL"
|
|
endchoice
|
|
|
|
menu "mbedTLS"
|
|
depends on SSL_USING_MBEDTLS
|
|
|
|
config MBEDTLS_SSL_MAX_CONTENT_LEN
|
|
int "TLS maximum message content length"
|
|
default 4096
|
|
range 512 16384
|
|
help
|
|
Maximum TLS message length (in bytes) supported by mbedTLS.
|
|
|
|
16384 is the default and this value is required to comply
|
|
fully with TLS standards.
|
|
|
|
However you can set a lower value in order to save RAM. This
|
|
is safe if the other end of the connection supports Maximum
|
|
Fragment Length Negotiation Extension (max_fragment_length,
|
|
see RFC6066) or you know for certain that it will never send a
|
|
message longer than a certain number of bytes.
|
|
|
|
If the value is set too low, symptoms are a failed TLS
|
|
handshake or a return value of MBEDTLS_ERR_SSL_INVALID_RECORD
|
|
(-0x7200).
|
|
|
|
config MBEDTLS_DEBUG
|
|
bool "Enable mbedTLS debugging"
|
|
default n
|
|
help
|
|
Enable mbedTLS debugging functions at compile time.
|
|
|
|
If this option is enabled, you must call mbedtls_esp_enable_debug_log
|
|
at runtime in order to enable mbedTLS debug output.
|
|
|
|
config MBEDTLS_DEBUG_LEVEL
|
|
int "Mbedtls debugging level"
|
|
default 4
|
|
range 0 4
|
|
depends on MBEDTLS_DEBUG
|
|
help
|
|
Mbedtls debugging level.
|
|
|
|
config MBEDTLS_HAVE_TIME
|
|
bool "Enable mbedtls time"
|
|
default y
|
|
help
|
|
System has time.h and time().
|
|
The time does not need to be correct, only time differences are used,
|
|
|
|
config MBEDTLS_HAVE_TIME_DATE
|
|
bool "Enable mbedtls time data"
|
|
depends on MBEDTLS_HAVE_TIME
|
|
default n
|
|
help
|
|
System has time.h and time(), gmtime() and the clock is correct.
|
|
The time needs to be correct (not necesarily very accurate, but at least
|
|
the date should be correct). This is used to verify the validity period of
|
|
X.509 certificates.
|
|
|
|
It is suggested that you should get the real time by "SNTP".
|
|
|
|
choice MBEDTLS_TLS_MODE
|
|
bool "TLS Protocol Role"
|
|
default MBEDTLS_TLS_SERVER_AND_CLIENT
|
|
help
|
|
mbedTLS can be compiled with protocol support for the TLS
|
|
server, TLS client, or both server and client.
|
|
|
|
Reducing the number of TLS roles supported saves code size.
|
|
|
|
config MBEDTLS_TLS_SERVER_AND_CLIENT
|
|
bool "Server & Client"
|
|
select MBEDTLS_TLS_SERVER
|
|
select MBEDTLS_TLS_CLIENT
|
|
config MBEDTLS_TLS_SERVER_ONLY
|
|
bool "Server"
|
|
select MBEDTLS_TLS_SERVER
|
|
config MBEDTLS_TLS_CLIENT_ONLY
|
|
bool "Client"
|
|
select MBEDTLS_TLS_CLIENT
|
|
config MBEDTLS_TLS_DISABLED
|
|
bool "None"
|
|
|
|
endchoice
|
|
|
|
config MBEDTLS_TLS_SERVER
|
|
bool
|
|
select MBEDTLS_TLS_ENABLED
|
|
config MBEDTLS_TLS_CLIENT
|
|
bool
|
|
select MBEDTLS_TLS_ENABLED
|
|
config MBEDTLS_TLS_ENABLED
|
|
bool
|
|
|
|
menu "TLS Key Exchange Methods"
|
|
depends on MBEDTLS_TLS_ENABLED
|
|
|
|
config MBEDTLS_PSK_MODES
|
|
bool "Enable pre-shared-key ciphersuites"
|
|
default n
|
|
help
|
|
Enable to show configuration for different types of pre-shared-key TLS authentatication methods.
|
|
|
|
Leaving this options disabled will save code size if they are not used.
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_PSK
|
|
bool "Enable PSK based ciphersuite modes"
|
|
depends on MBEDTLS_PSK_MODES
|
|
default n
|
|
help
|
|
Enable to support symmetric key PSK (pre-shared-key) TLS key exchange modes.
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_DHE_PSK
|
|
bool "Enable DHE-PSK based ciphersuite modes"
|
|
depends on MBEDTLS_PSK_MODES
|
|
default n
|
|
help
|
|
Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
|
|
bool "Enable ECDHE-PSK based ciphersuite modes"
|
|
depends on MBEDTLS_PSK_MODES
|
|
default n
|
|
help
|
|
Enable to support Elliptic-Curve-Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_RSA_PSK
|
|
bool "Enable RSA-PSK based ciphersuite modes"
|
|
depends on MBEDTLS_PSK_MODES
|
|
default y
|
|
help
|
|
Enable to support RSA PSK (pre-shared-key) TLS authentication modes.
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_RSA
|
|
bool "Enable RSA-only based ciphersuite modes"
|
|
default y
|
|
help
|
|
Enable to support ciphersuites with prefix TLS-RSA-WITH-
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_DHE_RSA
|
|
bool "Enable DHE-RSA based ciphersuite modes"
|
|
default n
|
|
help
|
|
Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH-
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
|
|
bool "Support Elliptic Curve based ciphersuites"
|
|
depends on MBEDTLS_ECP_C
|
|
default n
|
|
help
|
|
Enable to show Elliptic Curve based ciphersuite mode options.
|
|
|
|
Disabling all Elliptic Curve ciphersuites saves code size and
|
|
can give slightly faster TLS handshakes, provided the server supports
|
|
RSA-only ciphersuite modes.
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
|
|
bool "Enable ECDHE-RSA based ciphersuite modes"
|
|
depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C
|
|
default n
|
|
help
|
|
Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
|
|
bool "Enable ECDHE-ECDSA based ciphersuite modes"
|
|
depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
|
|
default n
|
|
help
|
|
Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
|
|
bool "Enable ECDH-ECDSA based ciphersuite modes"
|
|
depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
|
|
default n
|
|
help
|
|
Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA
|
|
bool "Enable ECDH-RSA based ciphersuite modes"
|
|
depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C
|
|
default n
|
|
help
|
|
Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
|
|
|
|
endmenu # TLS key exchange modes
|
|
|
|
config MBEDTLS_SSL_RENEGOTIATION
|
|
bool "Support TLS renegotiation"
|
|
depends on MBEDTLS_TLS_ENABLED
|
|
default n
|
|
help
|
|
The two main uses of renegotiation are (1) refresh keys on long-lived
|
|
connections and (2) client authentication after the initial handshake.
|
|
If you don't need renegotiation, disabling it will save code size and
|
|
reduce the possibility of abuse/vulnerability.
|
|
|
|
config MBEDTLS_SSL_PROTO_SSL3
|
|
bool "Legacy SSL 3.0 support"
|
|
depends on MBEDTLS_TLS_ENABLED
|
|
default n
|
|
help
|
|
Support the legacy SSL 3.0 protocol. Most servers will speak a newer
|
|
TLS protocol these days.
|
|
|
|
config MBEDTLS_SSL_PROTO_TLS1
|
|
bool "Support TLS 1.0 protocol"
|
|
depends on MBEDTLS_TLS_ENABLED
|
|
default y
|
|
|
|
config MBEDTLS_SSL_PROTO_TLS1_1
|
|
bool "Support TLS 1.1 protocol"
|
|
depends on MBEDTLS_TLS_ENABLED
|
|
default y
|
|
|
|
config MBEDTLS_SSL_PROTO_TLS1_2
|
|
bool "Support TLS 1.2 protocol"
|
|
depends on MBEDTLS_TLS_ENABLED
|
|
default y
|
|
|
|
config MBEDTLS_SSL_PROTO_DTLS
|
|
bool "Support DTLS protocol (all versions)"
|
|
default n
|
|
depends on MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2
|
|
help
|
|
Requires TLS 1.1 to be enabled for DTLS 1.0
|
|
Requires TLS 1.2 to be enabled for DTLS 1.2
|
|
|
|
config MBEDTLS_SSL_ALPN
|
|
bool "Support ALPN (Application Layer Protocol Negotiation)"
|
|
depends on MBEDTLS_TLS_ENABLED
|
|
default n
|
|
help
|
|
Disabling this option will save some code size if it is not needed.
|
|
|
|
config MBEDTLS_SSL_SESSION_TICKETS
|
|
bool "TLS: Support RFC 5077 SSL session tickets"
|
|
default n
|
|
depends on MBEDTLS_TLS_ENABLED
|
|
help
|
|
Support RFC 5077 session tickets. See mbedTLS documentation for more details.
|
|
|
|
Disabling this option will save some code size.
|
|
|
|
menu "Symmetric Ciphers"
|
|
|
|
config MBEDTLS_AES_C
|
|
bool "AES block cipher"
|
|
default y
|
|
|
|
config MBEDTLS_CAMELLIA_C
|
|
bool "Camellia block cipher"
|
|
default n
|
|
|
|
config MBEDTLS_DES_C
|
|
bool "DES block cipher (legacy, insecure)"
|
|
default n
|
|
help
|
|
Enables the DES block cipher to support 3DES-based TLS ciphersuites.
|
|
|
|
3DES is vulnerable to the Sweet32 attack and should only be enabled
|
|
if absolutely necessary.
|
|
|
|
choice MBEDTLS_RC4_MODE
|
|
prompt "RC4 Stream Cipher (legacy, insecure)"
|
|
default MBEDTLS_RC4_DISABLED
|
|
help
|
|
ARCFOUR (RC4) stream cipher can be disabled entirely, enabled but not
|
|
added to default ciphersuites, or enabled completely.
|
|
|
|
Please consider the security implications before enabling RC4.
|
|
|
|
config MBEDTLS_RC4_DISABLED
|
|
bool "Disabled"
|
|
config MBEDTLS_RC4_ENABLED_NO_DEFAULT
|
|
bool "Enabled, not in default ciphersuites"
|
|
config MBEDTLS_RC4_ENABLED
|
|
bool "Enabled"
|
|
endchoice
|
|
|
|
config MBEDTLS_BLOWFISH_C
|
|
bool "Blowfish block cipher (read help)"
|
|
default n
|
|
help
|
|
Enables the Blowfish block cipher (not used for TLS sessions.)
|
|
|
|
The Blowfish cipher is not used for mbedTLS TLS sessions but can be
|
|
used for other purposes. Read up on the limitations of Blowfish (including
|
|
Sweet32) before enabling.
|
|
|
|
config MBEDTLS_XTEA_C
|
|
bool "XTEA block cipher"
|
|
default y
|
|
help
|
|
Enables the XTEA block cipher.
|
|
|
|
|
|
config MBEDTLS_CCM_C
|
|
bool "CCM (Counter with CBC-MAC) block cipher modes"
|
|
default n
|
|
depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C
|
|
help
|
|
Enable Counter with CBC-MAC (CCM) modes for AES and/or Camellia ciphers.
|
|
|
|
Disabling this option saves some code size.
|
|
|
|
config MBEDTLS_GCM_C
|
|
bool "GCM (Galois/Counter) block cipher modes"
|
|
default n
|
|
depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C
|
|
help
|
|
Enable Galois/Counter Mode for AES and/or Camellia ciphers.
|
|
|
|
This option is generally faster than CCM.
|
|
|
|
endmenu # Symmetric Ciphers
|
|
|
|
config MBEDTLS_RIPEMD160_C
|
|
bool "Enable RIPEMD-160 hash algorithm"
|
|
default n
|
|
help
|
|
Enable the RIPEMD-160 hash algorithm.
|
|
|
|
menu "Certificates"
|
|
|
|
config MBEDTLS_PEM_PARSE_C
|
|
bool "Read & Parse PEM formatted certificates"
|
|
default y
|
|
help
|
|
Enable decoding/parsing of PEM formatted certificates.
|
|
|
|
If your certificates are all in the simpler DER format, disabling
|
|
this option will save some code size.
|
|
|
|
config MBEDTLS_PEM_WRITE_C
|
|
bool "Write PEM formatted certificates"
|
|
default y
|
|
help
|
|
Enable writing of PEM formatted certificates.
|
|
|
|
If writing certificate data only in DER format, disabling this
|
|
option will save some code size.
|
|
|
|
config MBEDTLS_X509_CRL_PARSE_C
|
|
bool "X.509 CRL parsing"
|
|
default y
|
|
help
|
|
Support for parsing X.509 Certifificate Revocation Lists.
|
|
|
|
config MBEDTLS_X509_CSR_PARSE_C
|
|
bool "X.509 CSR parsing"
|
|
default y
|
|
help
|
|
Support for parsing X.509 Certifificate Signing Requests
|
|
|
|
endmenu # Certificates
|
|
|
|
menuconfig MBEDTLS_ECP_C
|
|
bool "Elliptic Curve Ciphers"
|
|
default n
|
|
|
|
config MBEDTLS_ECDH_C
|
|
bool "Elliptic Curve Diffie-Hellman (ECDH)"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
Enable ECDH. Needed to use ECDHE-xxx TLS ciphersuites.
|
|
|
|
config MBEDTLS_DHM_C
|
|
bool "Diffie-Hellman-Merkle(DHM)"
|
|
default y
|
|
help
|
|
Enable the Diffie-Hellman-Merkle module.
|
|
|
|
config MBEDTLS_ECDSA_C
|
|
bool "Elliptic Curve DSA"
|
|
depends on MBEDTLS_ECDH_C
|
|
default y
|
|
help
|
|
Enable ECDSA. Needed to use ECDSA-xxx TLS ciphersuites.
|
|
|
|
config MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
|
bool "Enable SECP192R1 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
Enable support for SECP192R1 Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_DP_SECP224R1_ENABLED
|
|
bool "Enable SECP224R1 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
Enable support for SECP224R1 Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
|
bool "Enable SECP256R1 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
Enable support for SECP256R1 Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
|
bool "Enable SECP384R1 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
Enable support for SECP384R1 Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_DP_SECP521R1_ENABLED
|
|
bool "Enable SECP521R1 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
Enable support for SECP521R1 Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_DP_SECP192K1_ENABLED
|
|
bool "Enable SECP192K1 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
Enable support for SECP192K1 Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_DP_SECP224K1_ENABLED
|
|
bool "Enable SECP224K1 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
Enable support for SECP224K1 Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_DP_SECP256K1_ENABLED
|
|
bool "Enable SECP256K1 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
Enable support for SECP256K1 Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_DP_BP256R1_ENABLED
|
|
bool "Enable BP256R1 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
support for DP Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_DP_BP384R1_ENABLED
|
|
bool "Enable BP384R1 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
support for DP Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_DP_BP512R1_ENABLED
|
|
bool "Enable BP512R1 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
support for DP Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
|
bool "Enable CURVE25519 curve"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
Enable support for CURVE25519 Elliptic Curve.
|
|
|
|
config MBEDTLS_ECP_NIST_OPTIM
|
|
bool "NIST 'modulo p' optimisations"
|
|
depends on MBEDTLS_ECP_C
|
|
default y
|
|
help
|
|
NIST 'modulo p' optimisations increase Elliptic Curve operation performance.
|
|
|
|
Disabling this option saves some code size.
|
|
|
|
# end of Elliptic Curve options
|
|
|
|
menu "OpenSSL"
|
|
|
|
config OPENSSL_DEBUG
|
|
bool "Enable OpenSSL debugging"
|
|
default n
|
|
help
|
|
Enable OpenSSL debugging function.
|
|
|
|
If the option is enabled, "SSL_DEBUG" works.
|
|
|
|
config OPENSSL_DEBUG_LEVEL
|
|
int "OpenSSL debugging level"
|
|
default 0
|
|
range 0 255
|
|
depends on OPENSSL_DEBUG
|
|
help
|
|
OpenSSL debugging level.
|
|
|
|
Only function whose debugging level is higher than "OPENSSL_DEBUG_LEVEL" works.
|
|
|
|
For example:
|
|
If OPENSSL_DEBUG_LEVEL = 2, you use function "SSL_DEBUG(1, "malloc failed")". Because 1 < 2, it will not print.
|
|
|
|
config OPENSSL_LOWLEVEL_DEBUG
|
|
bool "Enable OpenSSL low-level module debugging"
|
|
default n
|
|
depends on OPENSSL_DEBUG
|
|
select MBEDTLS_DEBUG
|
|
help
|
|
If the option is enabled, low-level module debugging function of OpenSSL is enabled, e.g. mbedtls internal debugging function.
|
|
|
|
choice OPENSSL_ASSERT
|
|
prompt "Select OpenSSL assert function"
|
|
default CONFIG_OPENSSL_ASSERT_EXIT
|
|
help
|
|
OpenSSL function needs "assert" function to check if input parameters are valid.
|
|
|
|
If you want to use assert debugging function, "OPENSSL_DEBUG" should be enabled.
|
|
|
|
config OPENSSL_ASSERT_DO_NOTHING
|
|
bool "Do nothing"
|
|
help
|
|
Do nothing and "SSL_ASSERT" does not work.
|
|
|
|
config OPENSSL_ASSERT_EXIT
|
|
bool "Check and exit"
|
|
help
|
|
Enable assert exiting, it will check and return error code.
|
|
|
|
config OPENSSL_ASSERT_DEBUG
|
|
bool "Show debugging message"
|
|
depends on OPENSSL_DEBUG
|
|
help
|
|
Enable assert debugging, it will check and show debugging message.
|
|
|
|
config OPENSSL_ASSERT_DEBUG_EXIT
|
|
bool "Show debugging message and exit"
|
|
depends on OPENSSL_DEBUG
|
|
help
|
|
Enable assert debugging and exiting, it will check, show debugging message and return error code.
|
|
|
|
config OPENSSL_ASSERT_DEBUG_BLOCK
|
|
bool "Show debugging message and block"
|
|
depends on OPENSSL_DEBUG
|
|
help
|
|
Enable assert debugging and blocking, it will check, show debugging message and block by "while (1);".
|
|
|
|
endchoice
|
|
|
|
endmenu
|
|
|
|
endmenu # mbedTLS
|
|
|
|
endmenu
|