menu "mbedTLS" choice MBEDTLS_MEM_ALLOC_MODE prompt "Memory allocation strategy" default MBEDTLS_INTERNAL_MEM_ALLOC help Allocation strategy for mbedTLS, essentially provides ability to allocate all required dynamic allocations from, - Internal DRAM memory only - External SPIRAM memory only - Either internal or external memory based on default malloc() behavior in ESP-IDF - Custom allocation mode, by overwriting calloc()/free() using mbedtls_platform_set_calloc_free() function Recommended mode here is always internal, since that is most preferred from security perspective. But if application requirement does not allow sufficient free internal memory then alternate mode can be selected. config MBEDTLS_INTERNAL_MEM_ALLOC bool "Internal memory" config MBEDTLS_EXTERNAL_MEM_ALLOC bool "External SPIRAM" depends on SPIRAM_SUPPORT config MBEDTLS_DEFAULT_MEM_ALLOC bool "Default alloc mode" config MBEDTLS_CUSTOM_MEM_ALLOC bool "Custom alloc mode" endchoice #MBEDTLS_MEM_ALLOC_MODE config MBEDTLS_SSL_MAX_CONTENT_LEN int "TLS maximum message content length" default 16384 range 512 16384 depends on !MBEDTLS_ASYMMETRIC_CONTENT_LEN help Maximum TLS message length (in bytes) supported by mbedTLS. 16384 is the default and this value is required to comply fully with TLS standards. However you can set a lower value in order to save RAM. This is safe if the other end of the connection supports Maximum Fragment Length Negotiation Extension (max_fragment_length, see RFC6066) or you know for certain that it will never send a message longer than a certain number of bytes. If the value is set too low, symptoms are a failed TLS handshake or a return value of MBEDTLS_ERR_SSL_INVALID_RECORD (-0x7200). config MBEDTLS_ASYMMETRIC_CONTENT_LEN bool "Asymmetric in/out fragment length" default n help If enabled, this option allows customizing TLS in/out fragment length in asymmetric way. Please note that enabling this with default values saves 12KB of dynamic memory per TLS connection. config MBEDTLS_SSL_IN_CONTENT_LEN int "TLS maximum incoming fragment length" default 16384 range 512 16384 depends on MBEDTLS_ASYMMETRIC_CONTENT_LEN help This defines maximum incoming fragment length, overriding default maximum content length (MBEDTLS_SSL_MAX_CONTENT_LEN). config MBEDTLS_SSL_OUT_CONTENT_LEN int "TLS maximum outgoing fragment length" default 4096 range 512 16384 depends on MBEDTLS_ASYMMETRIC_CONTENT_LEN help This defines maximum outgoing fragment length, overriding default maximum content length (MBEDTLS_SSL_MAX_CONTENT_LEN). config MBEDTLS_DEBUG bool "Enable mbedTLS debugging" default n help Enable mbedTLS debugging functions at compile time. If this option is enabled, you can include "mbedtls/esp_debug.h" and call mbedtls_esp_enable_debug_log() at runtime in order to enable mbedTLS debug output via the ESP log mechanism. config MBEDTLS_ECP_RESTARTABLE bool "Enable mbedTLS ecp restartable" default n help Enable "non-blocking" ECC operations that can return early and be resumed. config MBEDTLS_CMAC_C bool "Enable CMAC mode for block ciphers" default n help Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers. config MBEDTLS_HARDWARE_AES bool "Enable hardware AES acceleration" default y help Enable hardware accelerated AES encryption & decryption. Note that if the ESP32 CPU is running at 240MHz, hardware AES does not offer any speed boost over software AES. config MBEDTLS_HARDWARE_MPI bool "Enable hardware MPI (bignum) acceleration" default n help Enable hardware accelerated multiple precision integer operations. Hardware accelerated multiplication, modulo multiplication, and modular exponentiation for up to 4096 bit results. These operations are used by RSA. config MBEDTLS_MPI_USE_INTERRUPT bool "Use interrupt for MPI operations" depends on MBEDTLS_HARDWARE_MPI default n help Use an interrupt to coordinate MPI operations. This allows other code to run on the CPU while an MPI operation is pending. Otherwise the CPU busy-waits. config MBEDTLS_HARDWARE_SHA bool "Enable hardware SHA acceleration" default n help Enable hardware accelerated SHA1, SHA256, SHA384 & SHA512 in mbedTLS. Due to a hardware limitation, hardware acceleration is only guaranteed if SHA digests are calculated one at a time. If more than one SHA digest is calculated at the same time, one will be calculated fully in hardware and the rest will be calculated (at least partially calculated) in software. This happens automatically. SHA hardware acceleration is faster than software in some situations but slower in others. You should benchmark to find the best setting for you. config MBEDTLS_HAVE_TIME bool "Enable mbedtls time" depends on !ESP32_TIME_SYSCALL_USE_NONE default y help System has time.h and time(). The time does not need to be correct, only time differences are used. config MBEDTLS_HAVE_TIME_DATE bool "Enable mbedtls certificate expiry check" depends on MBEDTLS_HAVE_TIME default n help System has time.h and time(), gmtime() and the clock is correct. The time needs to be correct (not necesarily very accurate, but at least the date should be correct). This is used to verify the validity period of X.509 certificates. It is suggested that you should get the real time by "SNTP". choice MBEDTLS_TLS_MODE bool "TLS Protocol Role" default MBEDTLS_TLS_SERVER_AND_CLIENT help mbedTLS can be compiled with protocol support for the TLS server, TLS client, or both server and client. Reducing the number of TLS roles supported saves code size. config MBEDTLS_TLS_SERVER_AND_CLIENT bool "Server & Client" select MBEDTLS_TLS_SERVER select MBEDTLS_TLS_CLIENT config MBEDTLS_TLS_SERVER_ONLY bool "Server" select MBEDTLS_TLS_SERVER config MBEDTLS_TLS_CLIENT_ONLY bool "Client" select MBEDTLS_TLS_CLIENT config MBEDTLS_TLS_DISABLED bool "None" endchoice config MBEDTLS_TLS_SERVER bool select MBEDTLS_TLS_ENABLED config MBEDTLS_TLS_CLIENT bool select MBEDTLS_TLS_ENABLED config MBEDTLS_TLS_ENABLED bool menu "TLS Key Exchange Methods" depends on MBEDTLS_TLS_ENABLED config MBEDTLS_PSK_MODES bool "Enable pre-shared-key ciphersuites" default n help Enable to show configuration for different types of pre-shared-key TLS authentatication methods. Leaving this options disabled will save code size if they are not used. config MBEDTLS_KEY_EXCHANGE_PSK bool "Enable PSK based ciphersuite modes" depends on MBEDTLS_PSK_MODES default n help Enable to support symmetric key PSK (pre-shared-key) TLS key exchange modes. config MBEDTLS_KEY_EXCHANGE_DHE_PSK bool "Enable DHE-PSK based ciphersuite modes" depends on MBEDTLS_PSK_MODES default y help Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK bool "Enable ECDHE-PSK based ciphersuite modes" depends on MBEDTLS_PSK_MODES default y help Enable to support Elliptic-Curve-Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. config MBEDTLS_KEY_EXCHANGE_RSA_PSK bool "Enable RSA-PSK based ciphersuite modes" depends on MBEDTLS_PSK_MODES default y help Enable to support RSA PSK (pre-shared-key) TLS authentication modes. config MBEDTLS_KEY_EXCHANGE_RSA bool "Enable RSA-only based ciphersuite modes" default y help Enable to support ciphersuites with prefix TLS-RSA-WITH- config MBEDTLS_KEY_EXCHANGE_DHE_RSA bool "Enable DHE-RSA based ciphersuite modes" default y help Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH- config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE bool "Support Elliptic Curve based ciphersuites" depends on MBEDTLS_ECP_C default y help Enable to show Elliptic Curve based ciphersuite mode options. Disabling all Elliptic Curve ciphersuites saves code size and can give slightly faster TLS handshakes, provided the server supports RSA-only ciphersuite modes. config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA bool "Enable ECDHE-RSA based ciphersuite modes" depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C default y help Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA bool "Enable ECDHE-ECDSA based ciphersuite modes" depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C default y help Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA bool "Enable ECDH-ECDSA based ciphersuite modes" depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C default y help Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- config MBEDTLS_KEY_EXCHANGE_ECDH_RSA bool "Enable ECDH-RSA based ciphersuite modes" depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C default y help Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- endmenu # TLS key exchange modes config MBEDTLS_SSL_RENEGOTIATION bool "Support TLS renegotiation" depends on MBEDTLS_TLS_ENABLED default y help The two main uses of renegotiation are (1) refresh keys on long-lived connections and (2) client authentication after the initial handshake. If you don't need renegotiation, disabling it will save code size and reduce the possibility of abuse/vulnerability. config MBEDTLS_SSL_PROTO_SSL3 bool "Legacy SSL 3.0 support" depends on MBEDTLS_TLS_ENABLED default n help Support the legacy SSL 3.0 protocol. Most servers will speak a newer TLS protocol these days. config MBEDTLS_SSL_PROTO_TLS1 bool "Support TLS 1.0 protocol" depends on MBEDTLS_TLS_ENABLED default y config MBEDTLS_SSL_PROTO_TLS1_1 bool "Support TLS 1.1 protocol" depends on MBEDTLS_TLS_ENABLED default y config MBEDTLS_SSL_PROTO_TLS1_2 bool "Support TLS 1.2 protocol" depends on MBEDTLS_TLS_ENABLED default y config MBEDTLS_SSL_PROTO_DTLS bool "Support DTLS protocol (all versions)" default n depends on MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 help Requires TLS 1.1 to be enabled for DTLS 1.0 Requires TLS 1.2 to be enabled for DTLS 1.2 config MBEDTLS_SSL_ALPN bool "Support ALPN (Application Layer Protocol Negotiation)" depends on MBEDTLS_TLS_ENABLED default y help Disabling this option will save some code size if it is not needed. config MBEDTLS_SSL_SESSION_TICKETS bool "TLS: Support RFC 5077 SSL session tickets" default y depends on MBEDTLS_TLS_ENABLED help Support RFC 5077 session tickets. See mbedTLS documentation for more details. Disabling this option will save some code size. menu "Symmetric Ciphers" config MBEDTLS_AES_C bool "AES block cipher" default y config MBEDTLS_CAMELLIA_C bool "Camellia block cipher" default n config MBEDTLS_DES_C bool "DES block cipher (legacy, insecure)" default n help Enables the DES block cipher to support 3DES-based TLS ciphersuites. 3DES is vulnerable to the Sweet32 attack and should only be enabled if absolutely necessary. choice MBEDTLS_RC4_MODE prompt "RC4 Stream Cipher (legacy, insecure)" default MBEDTLS_RC4_DISABLED help ARCFOUR (RC4) stream cipher can be disabled entirely, enabled but not added to default ciphersuites, or enabled completely. Please consider the security implications before enabling RC4. config MBEDTLS_RC4_DISABLED bool "Disabled" config MBEDTLS_RC4_ENABLED_NO_DEFAULT bool "Enabled, not in default ciphersuites" config MBEDTLS_RC4_ENABLED bool "Enabled" endchoice config MBEDTLS_BLOWFISH_C bool "Blowfish block cipher (read help)" default n help Enables the Blowfish block cipher (not used for TLS sessions.) The Blowfish cipher is not used for mbedTLS TLS sessions but can be used for other purposes. Read up on the limitations of Blowfish (including Sweet32) before enabling. config MBEDTLS_XTEA_C bool "XTEA block cipher" default n help Enables the XTEA block cipher. config MBEDTLS_CCM_C bool "CCM (Counter with CBC-MAC) block cipher modes" default y depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C help Enable Counter with CBC-MAC (CCM) modes for AES and/or Camellia ciphers. Disabling this option saves some code size. config MBEDTLS_GCM_C bool "GCM (Galois/Counter) block cipher modes" default y depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C help Enable Galois/Counter Mode for AES and/or Camellia ciphers. This option is generally faster than CCM. endmenu # Symmetric Ciphers config MBEDTLS_RIPEMD160_C bool "Enable RIPEMD-160 hash algorithm" default n help Enable the RIPEMD-160 hash algorithm. menu "Certificates" config MBEDTLS_PEM_PARSE_C bool "Read & Parse PEM formatted certificates" default y help Enable decoding/parsing of PEM formatted certificates. If your certificates are all in the simpler DER format, disabling this option will save some code size. config MBEDTLS_PEM_WRITE_C bool "Write PEM formatted certificates" default y help Enable writing of PEM formatted certificates. If writing certificate data only in DER format, disabling this option will save some code size. config MBEDTLS_X509_CRL_PARSE_C bool "X.509 CRL parsing" default y help Support for parsing X.509 Certifificate Revocation Lists. config MBEDTLS_X509_CSR_PARSE_C bool "X.509 CSR parsing" default y help Support for parsing X.509 Certifificate Signing Requests endmenu # Certificates menuconfig MBEDTLS_ECP_C bool "Elliptic Curve Ciphers" default y config MBEDTLS_ECDH_C bool "Elliptic Curve Diffie-Hellman (ECDH)" depends on MBEDTLS_ECP_C default y help Enable ECDH. Needed to use ECDHE-xxx TLS ciphersuites. config MBEDTLS_ECDSA_C bool "Elliptic Curve DSA" depends on MBEDTLS_ECDH_C default y help Enable ECDSA. Needed to use ECDSA-xxx TLS ciphersuites. config MBEDTLS_ECP_DP_SECP192R1_ENABLED bool "Enable SECP192R1 curve" depends on MBEDTLS_ECP_C default y help Enable support for SECP192R1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP224R1_ENABLED bool "Enable SECP224R1 curve" depends on MBEDTLS_ECP_C default y help Enable support for SECP224R1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP256R1_ENABLED bool "Enable SECP256R1 curve" depends on MBEDTLS_ECP_C default y help Enable support for SECP256R1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP384R1_ENABLED bool "Enable SECP384R1 curve" depends on MBEDTLS_ECP_C default y help Enable support for SECP384R1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP521R1_ENABLED bool "Enable SECP521R1 curve" depends on MBEDTLS_ECP_C default y help Enable support for SECP521R1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP192K1_ENABLED bool "Enable SECP192K1 curve" depends on MBEDTLS_ECP_C default y help Enable support for SECP192K1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP224K1_ENABLED bool "Enable SECP224K1 curve" depends on MBEDTLS_ECP_C default y help Enable support for SECP224K1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP256K1_ENABLED bool "Enable SECP256K1 curve" depends on MBEDTLS_ECP_C default y help Enable support for SECP256K1 Elliptic Curve. config MBEDTLS_ECP_DP_BP256R1_ENABLED bool "Enable BP256R1 curve" depends on MBEDTLS_ECP_C default y help support for DP Elliptic Curve. config MBEDTLS_ECP_DP_BP384R1_ENABLED bool "Enable BP384R1 curve" depends on MBEDTLS_ECP_C default y help support for DP Elliptic Curve. config MBEDTLS_ECP_DP_BP512R1_ENABLED bool "Enable BP512R1 curve" depends on MBEDTLS_ECP_C default y help support for DP Elliptic Curve. config MBEDTLS_ECP_DP_CURVE25519_ENABLED bool "Enable CURVE25519 curve" depends on MBEDTLS_ECP_C default y help Enable support for CURVE25519 Elliptic Curve. config MBEDTLS_ECP_NIST_OPTIM bool "NIST 'modulo p' optimisations" depends on MBEDTLS_ECP_C default y help NIST 'modulo p' optimisations increase Elliptic Curve operation performance. Disabling this option saves some code size. # end of Elliptic Curve options endmenu # mbedTLS