2019-05-28 01:49:02 -04:00
|
|
|
menu "ESP-TLS"
|
2019-09-07 06:54:54 -04:00
|
|
|
choice ESP_TLS_LIBRARY_CHOOSE
|
|
|
|
prompt "Choose SSL/TLS library for ESP-TLS (See help for more Info)"
|
|
|
|
default ESP_TLS_USING_MBEDTLS
|
|
|
|
help
|
|
|
|
The ESP-TLS APIs support multiple backend TLS libraries. Currently mbedTLS and WolfSSL are
|
|
|
|
supported. Different TLS libraries may support different features and have different resource
|
|
|
|
usage. Consult the ESP-TLS documentation in ESP-IDF Programming guide for more details.
|
|
|
|
config ESP_TLS_USING_MBEDTLS
|
|
|
|
bool "mbedTLS"
|
|
|
|
config ESP_TLS_USING_WOLFSSL
|
|
|
|
depends on TLS_STACK_WOLFSSL
|
|
|
|
bool "wolfSSL (License info in wolfSSL directory README)"
|
|
|
|
endchoice
|
2019-05-28 01:49:02 -04:00
|
|
|
|
2020-04-06 10:42:52 -04:00
|
|
|
config ESP_TLS_USE_SECURE_ELEMENT
|
|
|
|
bool "Use Secure Element (ATECC608A) with ESP-TLS"
|
|
|
|
depends on IDF_TARGET_ESP32 && ESP_TLS_USING_MBEDTLS
|
|
|
|
select ATCA_MBEDTLS_ECDSA
|
|
|
|
select ATCA_MBEDTLS_ECDSA_SIGN
|
|
|
|
select ATCA_MBEDTLS_ECDSA_VERIFY
|
|
|
|
help
|
|
|
|
Enable use of Secure Element for ESP-TLS, this enables internal support for
|
2023-12-04 01:52:01 -05:00
|
|
|
ATECC608A peripheral, which can be used for TLS connection.
|
2020-04-06 10:42:52 -04:00
|
|
|
|
2020-06-16 08:40:12 -04:00
|
|
|
config ESP_TLS_USE_DS_PERIPHERAL
|
|
|
|
bool "Use Digital Signature (DS) Peripheral with ESP-TLS"
|
2022-03-17 05:42:28 -04:00
|
|
|
depends on ESP_TLS_USING_MBEDTLS && SOC_DIG_SIGN_SUPPORTED
|
2020-06-16 08:40:12 -04:00
|
|
|
default y
|
|
|
|
help
|
|
|
|
Enable use of the Digital Signature Peripheral for ESP-TLS.The DS peripheral
|
|
|
|
can only be used when it is appropriately configured for TLS.
|
|
|
|
Consult the ESP-TLS documentation in ESP-IDF Programming Guide for more details.
|
|
|
|
|
2021-07-23 07:30:32 -04:00
|
|
|
config ESP_TLS_CLIENT_SESSION_TICKETS
|
|
|
|
bool "Enable client session tickets"
|
|
|
|
depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
|
|
|
help
|
|
|
|
Enable session ticket support as specified in RFC5077.
|
|
|
|
|
2021-05-19 11:16:59 -04:00
|
|
|
config ESP_TLS_SERVER_SESSION_TICKETS
|
2021-07-23 07:30:32 -04:00
|
|
|
bool "Enable server session tickets"
|
2023-09-05 05:04:04 -04:00
|
|
|
depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
|
2021-05-19 11:16:59 -04:00
|
|
|
help
|
|
|
|
Enable session ticket support as specified in RFC5077
|
|
|
|
|
|
|
|
config ESP_TLS_SERVER_SESSION_TICKET_TIMEOUT
|
|
|
|
int "Server session ticket timeout in seconds"
|
|
|
|
depends on ESP_TLS_SERVER_SESSION_TICKETS
|
|
|
|
default 86400
|
|
|
|
help
|
|
|
|
Sets the session ticket timeout used in the tls server.
|
|
|
|
|
2022-09-26 10:14:09 -04:00
|
|
|
config ESP_TLS_SERVER_CERT_SELECT_HOOK
|
|
|
|
bool "Certificate selection hook"
|
2023-09-05 05:04:04 -04:00
|
|
|
depends on ESP_TLS_USING_MBEDTLS
|
2022-09-26 10:14:09 -04:00
|
|
|
help
|
|
|
|
Ability to configure and use a certificate selection callback during server handshake,
|
|
|
|
to select a certificate to present to the client based on the TLS extensions supplied in
|
|
|
|
the client hello (alpn, sni, etc).
|
|
|
|
|
2022-03-28 08:04:38 -04:00
|
|
|
config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
|
|
|
|
bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional"
|
2023-09-05 05:04:04 -04:00
|
|
|
depends on ESP_TLS_USING_MBEDTLS
|
2022-03-28 08:04:38 -04:00
|
|
|
help
|
|
|
|
When this option is enabled, the peer (here, the client) certificate is checked by the server,
|
|
|
|
however the handshake continues even if verification failed. By default, the
|
|
|
|
peer certificate is not checked and ignored by the server.
|
|
|
|
|
|
|
|
mbedtls_ssl_get_verify_result() can be called after the handshake is complete to
|
|
|
|
retrieve status of verification.
|
|
|
|
|
2019-05-23 15:48:08 -04:00
|
|
|
config ESP_TLS_PSK_VERIFICATION
|
|
|
|
bool "Enable PSK verification"
|
2020-03-11 07:48:27 -04:00
|
|
|
select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_PSK if ESP_TLS_USING_MBEDTLS
|
2021-10-25 09:05:50 -04:00
|
|
|
select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_DHM_C
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_ECDH_C
|
2020-03-11 07:48:27 -04:00
|
|
|
select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
|
2019-05-23 15:48:08 -04:00
|
|
|
help
|
2020-03-11 07:48:27 -04:00
|
|
|
Enable support for pre shared key ciphers, supported for both mbedTLS as well as
|
|
|
|
wolfSSL TLS library.
|
2019-05-23 15:48:08 -04:00
|
|
|
|
2020-12-23 13:00:40 -05:00
|
|
|
config ESP_TLS_INSECURE
|
|
|
|
bool "Allow potentially insecure options"
|
|
|
|
help
|
|
|
|
You can enable some potentially insecure options. These options should only be used for testing pusposes.
|
|
|
|
Only enable these options if you are very sure.
|
|
|
|
|
|
|
|
config ESP_TLS_SKIP_SERVER_CERT_VERIFY
|
|
|
|
bool "Skip server certificate verification by default (WARNING: ONLY FOR TESTING PURPOSE, READ HELP)"
|
|
|
|
depends on ESP_TLS_INSECURE
|
|
|
|
help
|
|
|
|
After enabling this option the esp-tls client will skip the server certificate verification
|
|
|
|
by default. Note that this option will only modify the default behaviour of esp-tls client
|
|
|
|
regarding server cert verification. The default behaviour should only be applicable when
|
|
|
|
no other option regarding the server cert verification is opted in the esp-tls config
|
|
|
|
(e.g. crt_bundle_attach, use_global_ca_store etc.).
|
|
|
|
WARNING : Enabling this option comes with a potential risk of establishing a TLS connection
|
|
|
|
with a server which has a fake identity, provided that the server certificate
|
|
|
|
is not provided either through API or other mechanism like ca_store etc.
|
|
|
|
|
2019-09-07 06:54:54 -04:00
|
|
|
config ESP_WOLFSSL_SMALL_CERT_VERIFY
|
|
|
|
bool "Enable SMALL_CERT_VERIFY"
|
|
|
|
depends on ESP_TLS_USING_WOLFSSL
|
|
|
|
default y
|
|
|
|
help
|
|
|
|
Enables server verification with Intermediate CA cert, does not authenticate full chain
|
|
|
|
of trust upto the root CA cert (After Enabling this option client only needs to have Intermediate
|
|
|
|
CA certificate of the server to authenticate server, root CA cert is not necessary).
|
2019-05-28 01:49:02 -04:00
|
|
|
|
2019-09-07 06:54:54 -04:00
|
|
|
config ESP_DEBUG_WOLFSSL
|
|
|
|
bool "Enable debug logs for wolfSSL"
|
|
|
|
depends on ESP_TLS_USING_WOLFSSL
|
|
|
|
help
|
|
|
|
Enable detailed debug prints for wolfSSL SSL library.
|
|
|
|
|
|
|
|
endmenu
|