menu "configure mbedtls" config ENABLE_MBEDTLS_DEBUG bool "Enable mbedTLS debugging" default n help Enable mbedTLS debugging functions at compile time. If this option is enabled, you can include "mbedtls/esp_debug.h" and call mbedtls_esp_enable_debug_log() at runtime in order to enable mbedTLS debug output via the ESP log mechanism. config MBEDTLS_DEBUG_LEVEL int "debug level set" range 0 5 depends on ENABLE_MBEDTLS_DEBUG default 1 config ENABLE_MBEDTLS_SSL_MAX_CONTENT_LEN int "TLS maximum message content length" default 1024 range 512 16384 help Maximum TLS message length (in bytes) supported by mbedTLS. 16384 is the default and this value is required to comply fully with TLS standards. However you can set a lower value in order to save RAM. This is safe if the other end of the connection supports Maximum Fragment Length Negotiation Extension (max_fragment_length, see RFC6066) or you know for certain that it will never send a message longer than a certain number of bytes. If the value is set too low, symptoms are a failed TLS handshake or a return value of MBEDTLS_ERR_SSL_INVALID_RECORD (-0x7200). menuconfig ENABLE_CUSTOM_CONFIG bool "Enable user custom" default n if(ENABLE_CUSTOM_CONFIG) config ENABLE_MBEDTLS_SSL_MAX_FRAGMENT_LENGTH bool "Enable fragment" default n config ENABLE_MBEDTLS_CLIENT_SSL_SESSION_TICKETS bool "TLS: Client Support for RFC 5077 SSL session tickets" default n help Client support for RFC 5077 session tickets. See mbedTLS documentation for more details. Disabling this option will save some code size. config ENABLE_MBEDTLS_HAVE_TIME bool "Enable mbedtls time" default n help System has time.h and time(). The time does not need to be correct, only time differences are used. config ENABLE_MBEDTLS_HAVE_TIME_DATE bool "Enable mbedtls certificate expiry check" depends on ENABLE_MBEDTLS_HAVE_TIME default n help System has time.h and time(), gmtime() and the clock is correct. The time needs to be correct (not necesarily very accurate, but at least the date should be correct). This is used to verify the validity period of X.509 certificates. It is suggested that you should get the real time by "SNTP". config ENABLE_MBEDTLS_FS_IO bool "Enable mbedtls fs" default n help System has time.h and time(). The time does not need to be correct, only time differences are used. config ENABLE_MBEDTLS_NET_C bool "Enable net" default n help Enable the NET. config ENABLE_MBEDTLS_HAVEGE_C bool "Enable mbedtls havege" default n config ENABLE_MBEDTLS_TIMING_C bool "Enable mbedtls timing" default n config ENABLE_MBEDTLS_ARC4_C bool "Enable arc4" default n menu "Hash Algorithms" config ENABLE_MBEDTLS_SHA512_C bool "Enable SHA-384/SHA-512 hash algorithms" default n help Enable SHA-512 and optional SHA-384 hash support. config ENABLE_MBEDTLS_SHA384_C bool "Enable SHA-384 hash algorithm" select ENABLE_MBEDTLS_SHA512_C default n help Enable SHA-384 in addition to SHA-512. endmenu # Hash Algorithms menu "Symmetric Ciphers" config ENABLE_MBEDTLS_DES_C bool "DES block cipher (legacy, insecure)" default n help Enables the DES block cipher to support 3DES-based TLS ciphersuites. 3DES is vulnerable to the Sweet32 attack and should only be enabled if absolutely necessary. config ENABLE_MBEDTLS_CAMELLIA_C bool "Camellia block cipher" default n config ENABLE_MBEDTLS_BLOWFISH_C bool "Blowfish block cipher (read help)" default n help Enables the Blowfish block cipher (not used for TLS sessions.) The Blowfish cipher is not used for mbedTLS TLS sessions but can be used for other purposes. Read up on the limitations of Blowfish (including Sweet32) before enabling. config ENABLE_MBEDTLS_XTEA_C bool "XTEA block cipher" default n help Enables the XTEA block cipher. config ENABLE_MBEDTLS_CCM_C bool "CCM (Counter with CBC-MAC) block cipher modes" default y help Enable Counter with CBC-MAC (CCM) modes for AES and/or Camellia ciphers. Disabling this option saves some code size. config ENABLE_MBEDTLS_GCM_C bool "GCM (Galois/Counter) block cipher modes" default y help Enable Galois/Counter Mode for AES and/or Camellia ciphers. This option is generally faster than CCM. endmenu # Symmetric Ciphers menu "Asymmetric Ciphers" config ENABLE_MBEDTLS_RSA_C bool "rsa" default n config ENABLE_MBEDTLS_GENPRIME bool "gen prime" depends on ENABLE_MBEDTLS_RSA_C default n config ENABLE_MBEDTLS_DHM_C bool "dhm" default n config ENABLE_MBEDTLS_ECP_C bool "Elliptic Curve Ciphers" default y config ENABLE_MBEDTLS_PK_C bool "Enable the generic public (asymetric) key layer" depends on ENABLE_MBEDTLS_RSA_C || ENABLE_MBEDTLS_ECP_C default n config ENABLE_MBEDTLS_ECDH_C bool "Elliptic Curve Diffie-Hellman (ECDH)" depends on ENABLE_MBEDTLS_ECP_C default y help Enable ECDH. Needed to use ECDHE-xxx TLS ciphersuites. config ENABLE_MBEDTLS_ECDSA_C bool "Elliptic Curve DSA" depends on ENABLE_MBEDTLS_ECDH_C default n help Enable ECDSA. Needed to use ECDSA-xxx TLS ciphersuites. config ENABLE_MBEDTLS_ECP_DP_SECP192R1_ENABLED bool "Enable SECP192R1 curve" depends on ENABLE_MBEDTLS_ECP_C default n help Enable support for SECP192R1 Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_SECP224R1_ENABLED bool "Enable SECP224R1 curve" depends on ENABLE_MBEDTLS_ECP_C default n help Enable support for SECP224R1 Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_SECP256R1_ENABLED bool "Enable SECP256R1 curve" depends on ENABLE_MBEDTLS_ECP_C default y help Enable support for SECP256R1 Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_SECP384R1_ENABLED bool "Enable SECP384R1 curve" depends on ENABLE_MBEDTLS_ECP_C default n help Enable support for SECP384R1 Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_SECP521R1_ENABLED bool "Enable SECP521R1 curve" depends on ENABLE_MBEDTLS_ECP_C default n help Enable support for SECP521R1 Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_SECP192K1_ENABLED bool "Enable SECP192K1 curve" depends on ENABLE_MBEDTLS_ECP_C default n help Enable support for SECP192K1 Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_SECP224K1_ENABLED bool "Enable SECP224K1 curve" depends on ENABLE_MBEDTLS_ECP_C default n help Enable support for SECP224K1 Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_SECP256K1_ENABLED bool "Enable SECP256K1 curve" depends on ENABLE_MBEDTLS_ECP_C default n help Enable support for SECP256K1 Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_BP256R1_ENABLED bool "Enable BP256R1 curve" depends on ENABLE_MBEDTLS_ECP_C default n help support for DP Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_BP384R1_ENABLED bool "Enable BP384R1 curve" depends on ENABLE_MBEDTLS_ECP_C default n help support for DP Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_BP512R1_ENABLED bool "Enable BP512R1 curve" depends on ENABLE_MBEDTLS_ECP_C default n help support for DP Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_CURVE25519_ENABLED bool "Enable CURVE25519 curve" depends on ENABLE_MBEDTLS_ECP_C default n help Enable support for CURVE25519 Elliptic Curve. config ENABLE_MBEDTLS_ECP_DP_CURVE448_ENABLED bool "Enable CURVE448 curve" depends on ENABLE_MBEDTLS_ECP_C default n help Enable support for CURVE448 Elliptic Curve. config ENABLE_MBEDTLS_ECP_NIST_OPTIM bool "NIST 'modulo p' optimisations" depends on ENABLE_MBEDTLS_ECP_C default y help NIST 'modulo p' optimisations increase Elliptic Curve operation performance. Disabling this option saves some code size. # end of Elliptic Curve options config ENABLE_MBEDTLS_ECP_RESTARTABLE bool "MBEDTLS_ECP_RESTARTABLE" depends on ENABLE_MBEDTLS_ECP_C default n endmenu # Asymmetric Ciphers menu "Certificates" config ENABLE_MBEDTLS_X509_CRT bool "Enable X.509 certificate" depends on ENABLE_MBEDTLS_PK_C default n config ENABLE_MBEDTLS_PEM_PARSE_C bool "Read & Parse PEM formatted certificates" depends on ENABLE_MBEDTLS_X509_CRT default n help Enable decoding/parsing of PEM formatted certificates. If your certificates are all in the simpler DER format, disabling this option will save some code size. config ENABLE_MBEDTLS_PEM_WRITE_C bool "Write PEM formatted certificates" depends on ENABLE_MBEDTLS_X509_CRT default n help Enable writing of PEM formatted certificates. If writing certificate data only in DER format, disabling this option will save some code size. config ENABLE_MBEDTLS_X509_CRL_PARSE_C bool "X.509 CRL parsing" depends on ENABLE_MBEDTLS_X509_CRT default n help Support for parsing X.509 Certifificate Revocation Lists. config ENABLE_MBEDTLS_X509_CSR_PARSE_C bool "X.509 CSR parsing" depends on ENABLE_MBEDTLS_X509_CRT default n help Support for parsing X.509 Certifificate Signing Requests endmenu # Certificates config ENABLE_MBEDTLS_CHACHA20_C bool "Enable chacha20 algorithm" default n help Enable the chacha20 algorithm. config ENABLE_MBEDTLS_CHACHAPOLY_C bool "Enable chachapoly algorithm" depends on ENABLE_MBEDTLS_CHACHA20_C default n help Enable the chacha20 algorithm. config ENABLE_MBEDTLS_CMAC_C bool "Enable CMAC mode for block ciphers" default n help Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers. config ENABLE_MBEDTLS_HMAC_DRBG_C bool "Enable hmac drbg" default n help Enable the HMAC_DRBG. config ENABLE_MBEDTLS_POLY1305_C bool "Enable RIPEMD-1305 mac algorithm" default n help Enable the RIPEMD-160 hash algorithm. config ENABLE_MBEDTLS_RIPEMD160_C bool "Enable RIPEMD-160 hash algorithm" default n help Enable the RIPEMD-160 hash algorithm. choice MBEDTLS_TLS_MODE bool "TLS Protocol Role" default ENABLE_MBEDTLS_TLS_CLIENT_ONLY help mbedTLS can be compiled with protocol support for the TLS server, TLS client, or both server and client. Reducing the number of TLS roles supported saves code size. config ENABLE_MBEDTLS_TLS_SERVER_AND_CLIENT bool "Server & Client" select ENABLE_MBEDTLS_SSL_SRV_C select ENABLE_MBEDTLS_SSL_CLI_C config ENABLE_MBEDTLS_TLS_SERVER_ONLY bool "Server" select ENABLE_MBEDTLS_SSL_SRV_C config ENABLE_MBEDTLS_TLS_CLIENT_ONLY bool "Client" select ENABLE_MBEDTLS_SSL_CLI_C config ENABLE_MBEDTLS_TLS_DISABLED bool "None" endchoice config ENABLE_MBEDTLS_SSL_SRV_C bool select MBEDTLS_TLS_ENABLED config ENABLE_MBEDTLS_SSL_CLI_C bool select MBEDTLS_TLS_ENABLED config MBEDTLS_TLS_ENABLED bool config ENABLE_MBEDTLS_SSL_PROTO_TLS1 bool "Support TLS 1.0 protocol" default n config ENABLE_MBEDTLS_SSL_PROTO_TLS1_1 bool "Support TLS 1.1 protocol" default n config ENABLE_MBEDTLS_SSL_PROTO_TLS1_2 bool "Support TLS 1.2 protocol" default y config ENABLE_MBEDTLS_SSL_PROTO_DTLS bool "Support dtls protocol" default n config ENABLE_MBEDTLS_SSL_DTLS_HELLO_VERIFY bool "Enable dtls hello verify" depends on ENABLE_MBEDTLS_SSL_PROTO_DTLS default n config ENABLE_MBEDTLS_SSL_DTLS_SRTP bool "Enable dtls srtp" depends on ENABLE_MBEDTLS_SSL_PROTO_DTLS default n menu "TLS Key Exchange Methods" config ENABLE_MBEDTLS_PSK_MODES bool "Enable pre-shared-key ciphersuites" default y help Enable to show configuration for different types of pre-shared-key TLS authentatication methods. Leaving this options disabled will save code size if they are not used. config ENABLE_MBEDTLS_KEY_EXCHANGE_PSK bool "Enable PSK based ciphersuite modes" depends on ENABLE_MBEDTLS_PSK_MODES default y help Enable to support symmetric key PSK (pre-shared-key) TLS key exchange modes. config ENABLE_MBEDTLS_KEY_EXCHANGE_DHE_PSK bool "Enable DHE-PSK based ciphersuite modes" depends on ENABLE_MBEDTLS_PSK_MODES default n help Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. config ENABLE_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK bool "Enable ECDHE-PSK based ciphersuite modes" depends on ENABLE_MBEDTLS_PSK_MODES && ENABLE_MBEDTLS_ECDH_C default y help Enable to support Elliptic-Curve-Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. config ENABLE_MBEDTLS_KEY_EXCHANGE_RSA_PSK bool "Enable RSA-PSK based ciphersuite modes" depends on ENABLE_MBEDTLS_PSK_MODES && ENABLE_MBEDTLS_RSA_C default n help Enable to support RSA PSK (pre-shared-key) TLS authentication modes. config ENABLE_MBEDTLS_KEY_EXCHANGE_RSA bool "Enable RSA-only based ciphersuite modes" depends on ENABLE_MBEDTLS_RSA_C default n help Enable to support ciphersuites with prefix TLS-RSA-WITH- config ENABLE_MBEDTLS_KEY_EXCHANGE_DHE_RSA bool "Enable DHE-RSA based ciphersuite modes" depends on ENABLE_MBEDTLS_RSA_C default n help Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH- config ENABLE_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE bool "Support Elliptic Curve based ciphersuites" depends on ENABLE_MBEDTLS_ECP_C default n help Enable to show Elliptic Curve based ciphersuite mode options. Disabling all Elliptic Curve ciphersuites saves code size and can give slightly faster TLS handshakes, provided the server supports RSA-only ciphersuite modes. config ENABLE_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA bool "Enable ECDHE-RSA based ciphersuite modes" depends on ENABLE_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && ENABLE_MBEDTLS_ECDH_C default n help Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- config ENABLE_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA bool "Enable ECDHE-ECDSA based ciphersuite modes" depends on ENABLE_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && ENABLE_MBEDTLS_ECDH_C && ENABLE_MBEDTLS_ECDSA_C default n help Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- config ENABLE_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA bool "Enable ECDH-ECDSA based ciphersuite modes" depends on ENABLE_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && ENABLE_MBEDTLS_ECDH_C && ENABLE_MBEDTLS_ECDSA_C default n help Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- config ENABLE_MBEDTLS_KEY_EXCHANGE_ECDH_RSA bool "Enable ECDH-RSA based ciphersuite modes" depends on ENABLE_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && ENABLE_MBEDTLS_ECDH_C default y help Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- endmenu # TLS key exchange modes endif endmenu # mbedTLS