Configuration options (set of defines). More...
#include "check_config.h"
Go to the source code of this file.
Configuration options (set of defines).
This set of compile-time options may be used to enable or disable features selectively, and reduce the global memory footprint.
Definition in file config.h.
#define MBEDTLS_AES_C |
Enable the AES block cipher.
Module: library/aes.c Caller: library/ssl_tls.c library/pem.c library/ctr_drbg.c
This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
PEM_PARSE uses AES for decrypting encrypted keys.
#define MBEDTLS_AESNI_C |
#define MBEDTLS_ARC4_C |
Enable the ARCFOUR stream cipher.
Module: library/arc4.c Caller: library/ssl_tls.c
This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
#define MBEDTLS_ASN1_PARSE_C |
#define MBEDTLS_ASN1_WRITE_C |
#define MBEDTLS_BASE64_C |
#define MBEDTLS_BIGNUM_C |
#define MBEDTLS_BLOWFISH_C |
#define MBEDTLS_CAMELLIA_C |
Enable the Camellia block cipher.
Module: library/camellia.c Caller: library/ssl_tls.c
This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
#define MBEDTLS_CCM_C |
#define MBEDTLS_CERTS_C |
#define MBEDTLS_CIPHER_C |
#define MBEDTLS_CIPHER_MODE_CBC |
#define MBEDTLS_CIPHER_MODE_CFB |
#define MBEDTLS_CIPHER_MODE_CTR |
#define MBEDTLS_CIPHER_PADDING_PKCS7 |
MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for specific padding modes in the cipher layer with cipher modes that support padding (e.g. CBC)
If you disable all padding modes, only full blocks can be used with CBC.
Enable padding modes in the cipher layer.
#define MBEDTLS_CTR_DRBG_C |
Enable the CTR_DRBG AES-256-based random generator.
Module: library/ctr_drbg.c Caller:
Requires: MBEDTLS_AES_C
This module provides the CTR_DRBG AES-256 random number generator.
#define MBEDTLS_DEBUG_C |
#define MBEDTLS_DES_C |
Enable the DES block cipher.
Module: library/des.c Caller: library/pem.c library/ssl_tls.c
This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
PEM_PARSE uses DES/3DES for decrypting encrypted keys.
#define MBEDTLS_DHM_C |
Enable the Diffie-Hellman-Merkle module.
Module: library/dhm.c Caller: library/ssl_cli.c library/ssl_srv.c
This module is used by the following key exchanges: DHE-RSA, DHE-PSK
#define MBEDTLS_ECDH_C |
#define MBEDTLS_ECDSA_C |
#define MBEDTLS_ECDSA_DETERMINISTIC |
Enable deterministic ECDSA (RFC 6979). Standard ECDSA is "fragile" in the sense that lack of entropy when signing may result in a compromise of the long-term signing key. This is avoided by the deterministic variant.
Requires: MBEDTLS_HMAC_DRBG_C
Comment this macro to disable deterministic ECDSA.
#define MBEDTLS_ECP_C |
#define MBEDTLS_ECP_DP_SECP192R1_ENABLED |
#define MBEDTLS_ECP_NIST_OPTIM |
#define MBEDTLS_ENTROPY_C |
#define MBEDTLS_ERROR_C |
Enable error code to error string conversion.
Module: library/error.c Caller:
This module enables mbedtls_strerror().
#define MBEDTLS_ERROR_STRERROR_DUMMY |
Enable a dummy error function to make use of mbedtls_strerror() in third party libraries easier when MBEDTLS_ERROR_C is disabled (no effect when MBEDTLS_ERROR_C is enabled).
You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're not using mbedtls_strerror() or error_strerror() in your application.
Disable if you run into name conflicts and want to really remove the mbedtls_strerror()
#define MBEDTLS_FS_IO |
#define MBEDTLS_GCM_C |
#define MBEDTLS_GENPRIME |
#define MBEDTLS_HAVE_ASM |
The compiler has support for asm().
Requires support for asm() in compiler.
Used in: library/timing.c library/padlock.c include/mbedtls/bn_mul.h
Comment to disable the use of assembly code.
#define MBEDTLS_HAVE_TIME |
System has time.h and time(). The time does not need to be correct, only time differences are used, by contrast with MBEDTLS_HAVE_TIME_DATE
Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and MBEDTLS_PLATFORM_STD_TIME.
Comment if your system does not support time functions
#define MBEDTLS_HAVE_TIME_DATE |
System has time.h and time(), gmtime() and the clock is correct. The time needs to be correct (not necessarily very accurate, but at least the date should be correct). This is used to verify the validity period of X.509 certificates.
Comment if your system does not have a correct clock.
#define MBEDTLS_HAVEGE_C |
Enable the HAVEGE random generator.
Warning: the HAVEGE random generator is not suitable for virtualized environments
Warning: the HAVEGE random generator is dependent on timing and specific processor traits. It is therefore not advised to use HAVEGE as your applications primary random generator or primary entropy pool input. As a secondary input to your entropy pool, it IS able add the (limited) extra entropy it provides.
Module: library/havege.c Caller:
Requires: MBEDTLS_TIMING_C
Uncomment to enable the HAVEGE random generator.
#define MBEDTLS_HMAC_DRBG_C |
#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED |
Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_DHM_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED |
Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED |
Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED |
Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED |
Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED |
Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED |
Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED |
Enable the PSK based ciphersuite modes in SSL / TLS.
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED |
Enable the RSA-only based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED |
Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
#define MBEDTLS_MD5_C |
Enable the MD5 hash algorithm.
Module: library/md5.c Caller: library/md.c library/pem.c library/ssl_tls.c
This module is required for SSL/TLS up to version 1.1, and for TLS 1.2 depending on the handshake parameters. Further, it is used for checking MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded encrypted keys.
#define MBEDTLS_MD_C |
#define MBEDTLS_NET_C |
Enable the TCP and UDP over IPv6/IPv4 networking routines.
mbedtls_ssl_set_bio()
.Module: library/net_sockets.c
This module provides networking routines.
#define MBEDTLS_OID_C |
Enable the OID database.
Module: library/oid.c Caller: library/asn1write.c library/pkcs5.c library/pkparse.c library/pkwrite.c library/rsa.c library/x509.c library/x509_create.c library/x509_crl.c library/x509_crt.c library/x509_csr.c library/x509write_crt.c library/x509write_csr.c
This modules translates between OIDs and internal values.
#define MBEDTLS_PADLOCK_C |
#define MBEDTLS_PEM_PARSE_C |
#define MBEDTLS_PEM_WRITE_C |
#define MBEDTLS_PK_C |
#define MBEDTLS_PK_PARSE_C |
#define MBEDTLS_PK_PARSE_EC_EXTENDED |
Enhance support for reading EC keys using variants of SEC1 not allowed by RFC 5915 and RFC 5480.
Currently this means parsing the SpecifiedECDomain choice of EC parameters (only known groups are supported, not arbitrary domains, to avoid validation issues).
Disable if you only need to support RFC 5915 + 5480 key formats.
#define MBEDTLS_PK_RSA_ALT_SUPPORT |
#define MBEDTLS_PK_WRITE_C |
#define MBEDTLS_PKCS11_C |
#define MBEDTLS_PKCS12_C |
Enable PKCS#12 PBE functions. Adds algorithms for parsing PKCS#8 encrypted private keys
Module: library/pkcs12.c Caller: library/pkparse.c
Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C Can use: MBEDTLS_ARC4_C
This module enables PKCS#12 functions.
#define MBEDTLS_PKCS1_V15 |
#define MBEDTLS_PKCS1_V21 |
#define MBEDTLS_PKCS5_C |
#define MBEDTLS_PLATFORM_C |
Enable the platform abstraction layer that allows you to re-assign functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned above to be specified at runtime or compile time respectively.
Module: library/platform.c Caller: Most other .c files
This module enables abstraction of common (libc) functions.
#define MBEDTLS_REMOVE_3DES_CIPHERSUITES |
Remove 3DES ciphersuites by default in SSL / TLS. This flag removes the ciphersuites based on 3DES from the default list as returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them explicitly.
A man-in-the-browser attacker can recover authentication tokens sent through a TLS connection using a 3DES based cipher suite (see "On the Practical (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaƫtan Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls in your threat model or you are unsure, then you should keep this option enabled to remove 3DES based cipher suites.
Comment this macro to keep 3DES in the default ciphersuite list.
#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES |
Remove RC4 ciphersuites by default in SSL / TLS. This flag removes the ciphersuites based on RC4 from the default list as returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them explicitly.
Uncomment this macro to remove RC4 ciphersuites by default.
#define MBEDTLS_RIPEMD160_C |
#define MBEDTLS_RSA_C |
Enable the RSA public-key cryptosystem.
Module: library/rsa.c library/rsa_internal.c Caller: library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c library/x509.c
This module is used by the following key exchanges: RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
#define MBEDTLS_SELF_TEST |
#define MBEDTLS_SHA1_C |
Enable the SHA1 cryptographic hash algorithm.
Module: library/sha1.c Caller: library/md.c library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c library/x509write_crt.c
This module is required for SSL/TLS up to version 1.1, for TLS 1.2 depending on the handshake parameters, and for SHA1-signed certificates.
#define MBEDTLS_SHA256_C |
Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
Module: library/sha256.c Caller: library/entropy.c library/md.c library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c
This module adds support for SHA-224 and SHA-256. This module is required for the SSL/TLS 1.2 PRF function.
#define MBEDTLS_SHA512_C |
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES |
Enable sending of alert messages in case of encountered errors as per RFC. If you choose not to send the alert messages, mbed TLS can still communicate with other servers, only debugging of failures is harder.
The advantage of not sending alert messages, is that no information is given about reasons for failures thus preventing adversaries of gaining intel.
Enable sending of all alert messages
#define MBEDTLS_SSL_ALPN |
#define MBEDTLS_SSL_CACHE_C |
#define MBEDTLS_SSL_CBC_RECORD_SPLITTING |
Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
This is a countermeasure to the BEAST attack, which also minimizes the risk of interoperability issues compared to sending 0-length records.
Comment this macro to disable 1/n-1 record splitting.
#define MBEDTLS_SSL_CLI_C |
#define MBEDTLS_SSL_COOKIE_C |
#define MBEDTLS_SSL_DTLS_ANTI_REPLAY |
Enable support for the anti-replay mechanism in DTLS.
Requires: MBEDTLS_SSL_TLS_C MBEDTLS_SSL_PROTO_DTLS
Comment this to disable anti-replay in DTLS.
#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT |
Enable support for a limit of records with bad MAC.
See mbedtls_ssl_conf_dtls_badmac_limit().
Requires: MBEDTLS_SSL_PROTO_DTLS
#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE |
Enable server-side support for clients that reconnect from the same port.
Some clients unexpectedly close the connection and try to reconnect using the same source port. This needs special support from the server to handle the new connection securely, as described in section 4.2.8 of RFC 6347. This flag enables that support.
Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
Comment this to disable support for clients reusing the source port.
#define MBEDTLS_SSL_DTLS_HELLO_VERIFY |
Enable support for HelloVerifyRequest on DTLS servers.
This feature is highly recommended to prevent DTLS servers being used as amplifiers in DoS attacks against other hosts. It should always be enabled unless you know for sure amplification cannot be a problem in the environment in which your server operates.
Requires: MBEDTLS_SSL_PROTO_DTLS
Comment this to disable support for HelloVerifyRequest.
#define MBEDTLS_SSL_ENCRYPT_THEN_MAC |
Enable support for Encrypt-then-MAC, RFC 7366.
This allows peers that both support it to use a more robust protection for ciphersuites using CBC, providing deep resistance against timing attacks on the padding or underlying cipher.
This only affects CBC ciphersuites, and is useless if none is defined.
Requires: MBEDTLS_SSL_PROTO_TLS1 or MBEDTLS_SSL_PROTO_TLS1_1 or MBEDTLS_SSL_PROTO_TLS1_2
Comment this macro to disable support for Encrypt-then-MAC
#define MBEDTLS_SSL_EXPORT_KEYS |
#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET |
Enable support for Extended Master Secret, aka Session Hash (draft-ietf-tls-session-hash-02).
This was introduced as "the proper fix" to the Triple Handshake familiy of attacks, but it is recommended to always use it (even if you disable renegotiation), since it actually fixes a more fundamental issue in the original SSL/TLS design, and has implications beyond Triple Handshake.
Requires: MBEDTLS_SSL_PROTO_TLS1 or MBEDTLS_SSL_PROTO_TLS1_1 or MBEDTLS_SSL_PROTO_TLS1_2
Comment this macro to disable support for Extended Master Secret.
#define MBEDTLS_SSL_FALLBACK_SCSV |
Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
For servers, it is recommended to always enable this, unless you support only one version of TLS, or know for sure that none of your clients implements a fallback strategy.
For clients, you only need this if you're using a fallback strategy, which is not recommended in the first place, unless you absolutely need it to interoperate with buggy (version-intolerant) servers.
Comment this macro to disable support for FALLBACK_SCSV
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH |
#define MBEDTLS_SSL_PROTO_DTLS |
Enable support for DTLS (all available versions).
Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
Requires: MBEDTLS_SSL_PROTO_TLS1_1 or MBEDTLS_SSL_PROTO_TLS1_2
Comment this macro to disable support for DTLS
#define MBEDTLS_SSL_PROTO_TLS1 |
#define MBEDTLS_SSL_PROTO_TLS1_1 |
#define MBEDTLS_SSL_PROTO_TLS1_2 |
#define MBEDTLS_SSL_RENEGOTIATION |
Enable support for TLS renegotiation.
The two main uses of renegotiation are (1) refresh keys on long-lived connections and (2) client authentication after the initial handshake. If you don't need renegotiation, it's probably better to disable it, since it has been associated with security issues in the past and is easy to misuse/misunderstand.
Comment this to disable support for renegotiation.
mbedtls_ssl_conf_legacy_renegotiation
for the configuration of this extension). #define MBEDTLS_SSL_SERVER_NAME_INDICATION |
#define MBEDTLS_SSL_SESSION_TICKETS |
Enable support for RFC 5077 session tickets in SSL. Client-side, provides full support for session tickets (maintenance of a session store remains the responsibility of the application, though). Server-side, you also need to provide callbacks for writing and parsing tickets, including authenticated encryption and key management. Example callbacks are provided by MBEDTLS_SSL_TICKET_C.
Comment this macro to disable support for SSL session tickets
#define MBEDTLS_SSL_SRV_C |
#define MBEDTLS_SSL_TICKET_C |
#define MBEDTLS_SSL_TLS_C |
#define MBEDTLS_SSL_TRUNCATED_HMAC |
#define MBEDTLS_THREADING_C |
Enable the threading abstraction layer. By default mbed TLS assumes it is used in a non-threaded environment or that contexts are not shared between threads. If you do intend to use contexts between threads, you will need to enable this layer to prevent race conditions. See also our Knowledge Base article about threading: https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
Module: library/threading.c
This allows different threading implementations (self-implemented or provided).
You will have to enable either MBEDTLS_THREADING_ALT or MBEDTLS_THREADING_PTHREAD.
Enable this layer to allow use of mutexes within mbed TLS
#define MBEDTLS_THREADING_PTHREAD |
#define MBEDTLS_TIMING_C |
Enable the semi-portable timing interface.
mbedtls_ssl_set_timer_cb()
for DTLS, or leave it enabled and provide your own implementation of the whole module by setting MBEDTLS_TIMING_ALT
in the current file.Module: library/timing.c Caller: library/havege.c
This module is used by the HAVEGE random number generator.
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE |
Complete list of ciphersuites to use, in order of preference.
Use this to save a few hundred bytes of ROM (default ordering of all available ciphersuites) and a few to a few hundred bytes of RAM.
The value below is only an example, not the default. Allow SHA-1 in the default TLS configuration for certificate signing. Without this build-time option, SHA-1 support must be activated explicitly through mbedtls_ssl_conf_cert_profile. Turning on this option is not recommended because of it is possible to generate SHA-1 collisions, however this may be safe for legacy infrastructure where additional controls apply.
#define MBEDTLS_VERSION_C |
#define MBEDTLS_VERSION_FEATURES |
Allow run-time checking of compile-time enabled features. Thus allowing users to check at run-time if the library is for instance compiled with threading support via mbedtls_version_check_feature().
Requires: MBEDTLS_VERSION_C
Comment this to disable run-time checking and save ROM space
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE |
Enable verification of the extendedKeyUsage extension (leaf certificates).
Disabling this avoids problems with mis-issued and/or misused certificates.
Comment to skip extendedKeyUsage checking for certificates.
#define MBEDTLS_X509_CHECK_KEY_USAGE |
Enable verification of the keyUsage extension (CA and leaf certificates).
Disabling this avoids problems with mis-issued and/or misused (intermediate) CA and leaf certificates.
Comment to skip keyUsage checking for both CA and leaf certificates.
#define MBEDTLS_X509_CREATE_C |
#define MBEDTLS_X509_CRL_PARSE_C |
#define MBEDTLS_X509_CRT_PARSE_C |
#define MBEDTLS_X509_CRT_WRITE_C |
#define MBEDTLS_X509_CSR_PARSE_C |
#define MBEDTLS_X509_CSR_WRITE_C |
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT |
#define MBEDTLS_X509_USE_C |
Enable X.509 core for using certificates.
Module: library/x509.c Caller: library/x509_crl.c library/x509_crt.c library/x509_csr.c
Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C
This module is required for the X.509 parsing modules.
#define MBEDTLS_XTEA_C |
#define MBEDTLS_ZLIB_SUPPORT |
If set, the SSL/TLS module uses ZLIB to support compression and decompression of packet data.
Used in: library/ssl_tls.c library/ssl_cli.c library/ssl_srv.c
This feature requires zlib library and headers to be present.
Uncomment to enable use of ZLIB