1menu "ESP-TLS"
2    choice ESP_TLS_LIBRARY_CHOOSE
3        prompt "Choose SSL/TLS library for ESP-TLS (See help for more Info)"
4        default ESP_TLS_USING_MBEDTLS
5        help
6            The ESP-TLS APIs support multiple backend TLS libraries. Currently mbedTLS and WolfSSL are
7            supported. Different TLS libraries may support different features and have different resource
8            usage. Consult the ESP-TLS documentation in ESP-IDF Programming guide for more details.
9        config ESP_TLS_USING_MBEDTLS
10            bool "mbedTLS"
11        config ESP_TLS_USING_WOLFSSL
12            depends on TLS_STACK_WOLFSSL
13            bool "wolfSSL (License info in wolfSSL directory README)"
14    endchoice
15
16    config ESP_TLS_USE_SECURE_ELEMENT
17        bool "Use Secure Element (ATECC608A) with ESP-TLS"
18        depends on IDF_TARGET_ESP32 && ESP_TLS_USING_MBEDTLS
19        select ATCA_MBEDTLS_ECDSA
20        select ATCA_MBEDTLS_ECDSA_SIGN
21        select ATCA_MBEDTLS_ECDSA_VERIFY
22        default n
23        help
24            Enable use of Secure Element for ESP-TLS, this enables internal support for
25            ATECC608A peripheral on ESPWROOM32SE, which can be used for TLS connection.
26
27    config ESP_TLS_USE_DS_PERIPHERAL
28        bool "Use Digital Signature (DS) Peripheral with ESP-TLS"
29        depends on (IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S2 || IDF_TARGET_ESP32H2 || IDF_TARGET_ESP32S3)
30        depends on ESP_TLS_USING_MBEDTLS
31        default y
32        help
33            Enable use of the Digital Signature Peripheral for ESP-TLS.The DS peripheral
34            can only be used when it is appropriately configured for TLS.
35            Consult the ESP-TLS documentation in ESP-IDF Programming Guide for more details.
36
37    config ESP_TLS_SERVER
38        bool "Enable ESP-TLS Server"
39        default n
40        help
41            Enable support for creating server side SSL/TLS session, available for mbedTLS
42            as well as wolfSSL TLS library.
43
44    config ESP_TLS_CLIENT_SESSION_TICKETS
45        bool "Enable client session tickets"
46        depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
47        default n
48        help
49            Enable session ticket support as specified in RFC5077.
50
51    config ESP_TLS_SERVER_SESSION_TICKETS
52        bool "Enable server session tickets"
53        depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
54        default n
55        help
56            Enable session ticket support as specified in RFC5077
57
58    config ESP_TLS_SERVER_SESSION_TICKET_TIMEOUT
59        int "Server session ticket timeout in seconds"
60        depends on ESP_TLS_SERVER_SESSION_TICKETS
61        default 86400
62        help
63            Sets the session ticket timeout used in the tls server.
64
65    config ESP_TLS_PSK_VERIFICATION
66        bool "Enable PSK verification"
67        select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
68        select MBEDTLS_KEY_EXCHANGE_PSK if ESP_TLS_USING_MBEDTLS
69        select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS
70        select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS
71        select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
72        default n
73        help
74            Enable support for pre shared key ciphers, supported for both mbedTLS as well as
75            wolfSSL TLS library.
76
77    config ESP_TLS_INSECURE
78        bool "Allow potentially insecure options"
79        help
80            You can enable some potentially insecure options. These options should only be used for testing pusposes.
81            Only enable these options if you are very sure.
82
83    config ESP_TLS_SKIP_SERVER_CERT_VERIFY
84        bool "Skip server certificate verification by default (WARNING: ONLY FOR TESTING PURPOSE, READ HELP)"
85        depends on ESP_TLS_INSECURE
86        help
87            After enabling this option the esp-tls client will skip the server certificate verification
88            by default. Note that this option will only modify the default behaviour of esp-tls client
89            regarding server cert verification. The default behaviour should only be applicable when
90            no other option regarding the server cert verification is opted in the esp-tls config
91            (e.g. crt_bundle_attach, use_global_ca_store etc.).
92            WARNING : Enabling this option comes with a potential risk of establishing a TLS connection
93            with a server which has a fake identity, provided that the server certificate
94            is not provided either through API or other mechanism like ca_store etc.
95
96    config ESP_WOLFSSL_SMALL_CERT_VERIFY
97        bool "Enable SMALL_CERT_VERIFY"
98        depends on ESP_TLS_USING_WOLFSSL
99        default y
100        help
101            Enables server verification with Intermediate CA cert, does not authenticate full chain
102            of trust upto the root CA cert (After Enabling this option client only needs to have Intermediate
103            CA certificate of the server to authenticate server, root CA cert is not necessary).
104
105    config ESP_DEBUG_WOLFSSL
106        bool "Enable debug logs for wolfSSL"
107        depends on ESP_TLS_USING_WOLFSSL
108        default n
109        help
110            Enable detailed debug prints for wolfSSL SSL library.
111
112endmenu
113