esp-idf/components/esp-tls/Kconfig

menu "ESP-TLS"
    choice ESP_TLS_LIBRARY_CHOOSE
        prompt "Choose SSL/TLS library for ESP-TLS (See help for more Info)"
        default ESP_TLS_USING_MBEDTLS
        help
            The ESP-TLS APIs support multiple backend TLS libraries. Currently mbedTLS and WolfSSL are
            supported. Different TLS libraries may support different features and have different resource
            usage. Consult the ESP-TLS documentation in ESP-IDF Programming guide for more details.
        config ESP_TLS_USING_MBEDTLS
            bool "mbedTLS"
        config ESP_TLS_USING_WOLFSSL
            depends on TLS_STACK_WOLFSSL
            bool "wolfSSL (License info in wolfSSL directory README)"
    endchoice

    config ESP_TLS_USE_SECURE_ELEMENT
        bool "Use Secure Element (ATECC608A) with ESP-TLS"
        depends on IDF_TARGET_ESP32 && ESP_TLS_USING_MBEDTLS
        select ATCA_MBEDTLS_ECDSA
        select ATCA_MBEDTLS_ECDSA_SIGN
        select ATCA_MBEDTLS_ECDSA_VERIFY
        help
            Enable use of Secure Element for ESP-TLS, this enables internal support for
            ATECC608A peripheral on ESPWROOM32SE, which can be used for TLS connection.

    config ESP_TLS_USE_DS_PERIPHERAL
        bool "Use Digital Signature (DS) Peripheral with ESP-TLS"
        depends on ESP_TLS_USING_MBEDTLS && SOC_DIG_SIGN_SUPPORTED
        default y
        help
            Enable use of the Digital Signature Peripheral for ESP-TLS.The DS peripheral
            can only be used when it is appropriately configured for TLS.
            Consult the ESP-TLS documentation in ESP-IDF Programming Guide for more details.

    config ESP_TLS_CLIENT_SESSION_TICKETS
        bool "Enable client session tickets"
        depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
        help
            Enable session ticket support as specified in RFC5077.

    config ESP_TLS_SERVER
        bool "Enable ESP-TLS Server"
        depends on (ESP_TLS_USING_MBEDTLS && MBEDTLS_TLS_SERVER) || ESP_TLS_USING_WOLFSSL
        help
            Enable support for creating server side SSL/TLS session, available for mbedTLS
            as well as wolfSSL TLS library.

    config ESP_TLS_SERVER_SESSION_TICKETS
        bool "Enable server session tickets"
        depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
        help
            Enable session ticket support as specified in RFC5077

    config ESP_TLS_SERVER_SESSION_TICKET_TIMEOUT
        int "Server session ticket timeout in seconds"
        depends on ESP_TLS_SERVER_SESSION_TICKETS
        default 86400
        help
            Sets the session ticket timeout used in the tls server.

    config ESP_TLS_SERVER_CERT_SELECT_HOOK
        bool "Certificate selection hook"
        depends on ESP_TLS_USING_MBEDTLS && ESP_TLS_SERVER
        help
            Ability to configure and use a certificate selection callback during server handshake,
            to select a certificate to present to the client based on the TLS extensions supplied in
            the client hello (alpn, sni, etc).

    config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
        bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional"
        depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS
        help
            When this option is enabled, the peer (here, the client) certificate is checked by the server,
            however the handshake continues even if verification failed. By default, the
            peer certificate is not checked and ignored by the server.

            mbedtls_ssl_get_verify_result() can be called after the handshake is complete to
            retrieve status of verification.

    config ESP_TLS_PSK_VERIFICATION
        bool "Enable PSK verification"
        select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
        select MBEDTLS_KEY_EXCHANGE_PSK if ESP_TLS_USING_MBEDTLS
        select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_DHM_C
        select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_ECDH_C
        select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
        help
            Enable support for pre shared key ciphers, supported for both mbedTLS as well as
            wolfSSL TLS library.

    config ESP_TLS_INSECURE
        bool "Allow potentially insecure options"
        help
            You can enable some potentially insecure options. These options should only be used for testing pusposes.
            Only enable these options if you are very sure.

    config ESP_TLS_SKIP_SERVER_CERT_VERIFY
        bool "Skip server certificate verification by default (WARNING: ONLY FOR TESTING PURPOSE, READ HELP)"
        depends on ESP_TLS_INSECURE
        help
            After enabling this option the esp-tls client will skip the server certificate verification
            by default. Note that this option will only modify the default behaviour of esp-tls client
            regarding server cert verification. The default behaviour should only be applicable when
            no other option regarding the server cert verification is opted in the esp-tls config
            (e.g. crt_bundle_attach, use_global_ca_store etc.).
            WARNING : Enabling this option comes with a potential risk of establishing a TLS connection
            with a server which has a fake identity, provided that the server certificate
            is not provided either through API or other mechanism like ca_store etc.

    config ESP_WOLFSSL_SMALL_CERT_VERIFY
        bool "Enable SMALL_CERT_VERIFY"
        depends on ESP_TLS_USING_WOLFSSL
        default y
        help
            Enables server verification with Intermediate CA cert, does not authenticate full chain
            of trust upto the root CA cert (After Enabling this option client only needs to have Intermediate
            CA certificate of the server to authenticate server, root CA cert is not necessary).

    config ESP_DEBUG_WOLFSSL
        bool "Enable debug logs for wolfSSL"
        depends on ESP_TLS_USING_WOLFSSL
        help
            Enable detailed debug prints for wolfSSL SSL library.

endmenu
esp_tls: Add support for server side SSL/TLS connection Currently, esp-tls supports creation of SSL/TLS connection on the client side. This commit includes support for creating SSL/TLS connection on the server side. 2019-05-28 11:19:02 +05:30			`menu "ESP-TLS"`
ESP_TLS: Restructuring esp_tls 1)Segregating mbedtls API into seperate file and cleaned esp_tls.c 2)Added support for wolfssl for CMake and make 3)Added support for debug_wolfssl (with menuconfig option) 4)Added info on wolfssl in ESP-TLS docs 2019-09-07 16:24:54 +05:30			`choice ESP_TLS_LIBRARY_CHOOSE`
			`prompt "Choose SSL/TLS library for ESP-TLS (See help for more Info)"`
			`default ESP_TLS_USING_MBEDTLS`
			`help`
			`The ESP-TLS APIs support multiple backend TLS libraries. Currently mbedTLS and WolfSSL are`
			`supported. Different TLS libraries may support different features and have different resource`
			`usage. Consult the ESP-TLS documentation in ESP-IDF Programming guide for more details.`
			`config ESP_TLS_USING_MBEDTLS`
			`bool "mbedTLS"`
			`config ESP_TLS_USING_WOLFSSL`
			`depends on TLS_STACK_WOLFSSL`
			`bool "wolfSSL (License info in wolfSSL directory README)"`
			`endchoice`
esp_tls: Add support for server side SSL/TLS connection Currently, esp-tls supports creation of SSL/TLS connection on the client side. This commit includes support for creating SSL/TLS connection on the server side. 2019-05-28 11:19:02 +05:30
secure_element: atecc608_ecdsa example * Replaced crypotoauthlib with esp-cryptoauthlib * Added menuconfig option for esp-tls about using HSM * Added error codes for HSM in esp-tls, * Added support to select different type of ATECC608A chips * Added README, updated docs * tcp_transport: Added option to enable secure_element for ssl Closes https://github.com/espressif/esp-idf/issues/4432 2020-04-06 20:12:52 +05:30			`config ESP_TLS_USE_SECURE_ELEMENT`
			`bool "Use Secure Element (ATECC608A) with ESP-TLS"`
			`depends on IDF_TARGET_ESP32 && ESP_TLS_USING_MBEDTLS`
			`select ATCA_MBEDTLS_ECDSA`
			`select ATCA_MBEDTLS_ECDSA_SIGN`
			`select ATCA_MBEDTLS_ECDSA_VERIFY`
			`help`
			`Enable use of Secure Element for ESP-TLS, this enables internal support for`
			`ATECC608A peripheral on ESPWROOM32SE, which can be used for TLS connection.`

esp32s2/esp_ds: Digital Signature software support 1)Added support for alt rsa sign implementation with DS peripheral ( through ESP-TLS - mbedTLS SSL/TLS stack) 2020-06-16 18:10:12 +05:30			`config ESP_TLS_USE_DS_PERIPHERAL`
			`bool "Use Digital Signature (DS) Peripheral with ESP-TLS"`
esp-tls: use SOC capability macros instead of target names 2022-03-17 15:12:28 +05:30			`depends on ESP_TLS_USING_MBEDTLS && SOC_DIG_SIGN_SUPPORTED`
esp32s2/esp_ds: Digital Signature software support 1)Added support for alt rsa sign implementation with DS peripheral ( through ESP-TLS - mbedTLS SSL/TLS stack) 2020-06-16 18:10:12 +05:30			`default y`
			`help`
			`Enable use of the Digital Signature Peripheral for ESP-TLS.The DS peripheral`
			`can only be used when it is appropriately configured for TLS.`
			`Consult the ESP-TLS documentation in ESP-IDF Programming Guide for more details.`

Added support for client session tickets in esp-tls (with mbedtls) * client session tickets for individual tls connections are supported * reorganize the esp-tls error codes. * Update esp_err_to_name.c * Fix styling 2021-07-23 17:00:32 +05:30			`config ESP_TLS_CLIENT_SESSION_TICKETS`
			`bool "Enable client session tickets"`
			`depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS`
			`help`
			`Enable session ticket support as specified in RFC5077.`

https_server: Add config option to min. cert. auth mode - Added a config option to set the minimum Certificate Verification mode to Optional - When this option is enabled, the peer (the client) certificate is checked by the server, however the handshake continues even if verification failed. - By default, the peer certificate is not checked and ignored by the server. Closes https://github.com/espressif/esp-idf/issues/8664 2022-03-28 17:34:38 +05:30			`config ESP_TLS_SERVER`
			`bool "Enable ESP-TLS Server"`
esp-tls/Kconfig: Fix dependency for ESP-TLS Server menuconfig option 2022-11-02 09:58:32 +05:30			`depends on (ESP_TLS_USING_MBEDTLS && MBEDTLS_TLS_SERVER) \|\| ESP_TLS_USING_WOLFSSL`
https_server: Add config option to min. cert. auth mode - Added a config option to set the minimum Certificate Verification mode to Optional - When this option is enabled, the peer (the client) certificate is checked by the server, however the handshake continues even if verification failed. - By default, the peer certificate is not checked and ignored by the server. Closes https://github.com/espressif/esp-idf/issues/8664 2022-03-28 17:34:38 +05:30			`help`
			`Enable support for creating server side SSL/TLS session, available for mbedTLS`
			`as well as wolfSSL TLS library.`

Implement server session ticket support with mbedtls Closes https://github.com/espressif/esp-idf/pull/7048 Signed-off-by: Aditya Patwardhan <aditya.patwardhan@espressif.com> 2021-05-19 17:16:59 +02:00			`config ESP_TLS_SERVER_SESSION_TICKETS`
Added support for client session tickets in esp-tls (with mbedtls) * client session tickets for individual tls connections are supported * reorganize the esp-tls error codes. * Update esp_err_to_name.c * Fix styling 2021-07-23 17:00:32 +05:30			`bool "Enable server session tickets"`
Implement server session ticket support with mbedtls Closes https://github.com/espressif/esp-idf/pull/7048 Signed-off-by: Aditya Patwardhan <aditya.patwardhan@espressif.com> 2021-05-19 17:16:59 +02:00			`depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS`
			`help`
			`Enable session ticket support as specified in RFC5077`

			`config ESP_TLS_SERVER_SESSION_TICKET_TIMEOUT`
			`int "Server session ticket timeout in seconds"`
			`depends on ESP_TLS_SERVER_SESSION_TICKETS`
			`default 86400`
			`help`
			`Sets the session ticket timeout used in the tls server.`

esp-tls: Add support for the CERTIFICATE SELECTION HOOK. The hook has access to required information so that the application can make a more informed decision on which certificate to serve (such as alpn value, server certificate type, etc.) Closes https://github.com/espressif/esp-idf/pull/9833 Signed-off-by: Aditya Patwardhan <aditya.patwardhan@espressif.com> 2022-09-26 16:14:09 +02:00			`config ESP_TLS_SERVER_CERT_SELECT_HOOK`
			`bool "Certificate selection hook"`
esp-tls: Add changes to the Cert selection callback PR. 2022-10-21 12:51:31 +05:30			`depends on ESP_TLS_USING_MBEDTLS && ESP_TLS_SERVER`
esp-tls: Add support for the CERTIFICATE SELECTION HOOK. The hook has access to required information so that the application can make a more informed decision on which certificate to serve (such as alpn value, server certificate type, etc.) Closes https://github.com/espressif/esp-idf/pull/9833 Signed-off-by: Aditya Patwardhan <aditya.patwardhan@espressif.com> 2022-09-26 16:14:09 +02:00			`help`
			`Ability to configure and use a certificate selection callback during server handshake,`
			`to select a certificate to present to the client based on the TLS extensions supplied in`
			`the client hello (alpn, sni, etc).`

https_server: Add config option to min. cert. auth mode - Added a config option to set the minimum Certificate Verification mode to Optional - When this option is enabled, the peer (the client) certificate is checked by the server, however the handshake continues even if verification failed. - By default, the peer certificate is not checked and ignored by the server. Closes https://github.com/espressif/esp-idf/issues/8664 2022-03-28 17:34:38 +05:30			`config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL`
			`bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional"`
			`depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS`
			`help`
			`When this option is enabled, the peer (here, the client) certificate is checked by the server,`
			`however the handshake continues even if verification failed. By default, the`
			`peer certificate is not checked and ignored by the server.`

			`mbedtls_ssl_get_verify_result() can be called after the handshake is complete to`
			`retrieve status of verification.`

esp_tls: enable psk verification mode, added mqtt example using psk authentication 2019-05-23 21:48:08 +02:00			`config ESP_TLS_PSK_VERIFICATION`
			`bool "Enable PSK verification"`
esp_tls_wolfssl: Add support for PSK using wolfSSL, enable SNI and ALPN 2020-03-11 17:18:27 +05:30			`select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS`
			`select MBEDTLS_KEY_EXCHANGE_PSK if ESP_TLS_USING_MBEDTLS`
mbedtls: disable Diffie-Hellman key exchange modes by default Using these ciphers can constitute a security risk if the server uses a weak prime for the key exchange. Footprint impact: Roughly 3K saved in text+rodata in default https_request example 2021-10-25 18:35:50 +05:30			`select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_DHM_C`
			`select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_ECDH_C`
esp_tls_wolfssl: Add support for PSK using wolfSSL, enable SNI and ALPN 2020-03-11 17:18:27 +05:30			`select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS`
esp_tls: enable psk verification mode, added mqtt example using psk authentication 2019-05-23 21:48:08 +02:00			`help`
esp_tls_wolfssl: Add support for PSK using wolfSSL, enable SNI and ALPN 2020-03-11 17:18:27 +05:30			`Enable support for pre shared key ciphers, supported for both mbedTLS as well as`
			`wolfSSL TLS library.`
esp_tls: enable psk verification mode, added mqtt example using psk authentication 2019-05-23 21:48:08 +02:00
esp-tls: Changed default behaviour for esp-tls client ( for security purpose) By default esp-tls client will now return error if no server verify option is provided, earlier it used to skip the verification by default. Added config option to skip server verification by default (for testing purpose) Updated required docs 2020-12-23 23:30:40 +05:30			`config ESP_TLS_INSECURE`
			`bool "Allow potentially insecure options"`
			`help`
			`You can enable some potentially insecure options. These options should only be used for testing pusposes.`
			`Only enable these options if you are very sure.`

			`config ESP_TLS_SKIP_SERVER_CERT_VERIFY`
			`bool "Skip server certificate verification by default (WARNING: ONLY FOR TESTING PURPOSE, READ HELP)"`
			`depends on ESP_TLS_INSECURE`
			`help`
			`After enabling this option the esp-tls client will skip the server certificate verification`
			`by default. Note that this option will only modify the default behaviour of esp-tls client`
			`regarding server cert verification. The default behaviour should only be applicable when`
			`no other option regarding the server cert verification is opted in the esp-tls config`
			`(e.g. crt_bundle_attach, use_global_ca_store etc.).`
			`WARNING : Enabling this option comes with a potential risk of establishing a TLS connection`
			`with a server which has a fake identity, provided that the server certificate`
			`is not provided either through API or other mechanism like ca_store etc.`

ESP_TLS: Restructuring esp_tls 1)Segregating mbedtls API into seperate file and cleaned esp_tls.c 2)Added support for wolfssl for CMake and make 3)Added support for debug_wolfssl (with menuconfig option) 4)Added info on wolfssl in ESP-TLS docs 2019-09-07 16:24:54 +05:30			`config ESP_WOLFSSL_SMALL_CERT_VERIFY`
			`bool "Enable SMALL_CERT_VERIFY"`
			`depends on ESP_TLS_USING_WOLFSSL`
			`default y`
			`help`
			`Enables server verification with Intermediate CA cert, does not authenticate full chain`
			`of trust upto the root CA cert (After Enabling this option client only needs to have Intermediate`
			`CA certificate of the server to authenticate server, root CA cert is not necessary).`
esp_tls: Add support for server side SSL/TLS connection Currently, esp-tls supports creation of SSL/TLS connection on the client side. This commit includes support for creating SSL/TLS connection on the server side. 2019-05-28 11:19:02 +05:30
ESP_TLS: Restructuring esp_tls 1)Segregating mbedtls API into seperate file and cleaned esp_tls.c 2)Added support for wolfssl for CMake and make 3)Added support for debug_wolfssl (with menuconfig option) 4)Added info on wolfssl in ESP-TLS docs 2019-09-07 16:24:54 +05:30			`config ESP_DEBUG_WOLFSSL`
			`bool "Enable debug logs for wolfSSL"`
			`depends on ESP_TLS_USING_WOLFSSL`
			`help`
			`Enable detailed debug prints for wolfSSL SSL library.`

			`endmenu`