bd83c19cc7
Existing cipher suites and certificates used by HTTP server sample are included in RFC9113 Appendix A: Prohibited TLS 1.2 Cipher Suites. The RFC specifies that when using HTTP/2, these cipher suites may be treated as an error of type INADEQUATE_SECURITY, and in practice it seems that Chrome and Firefox do implement this. The certificates have been updated to use ECDSA-P265 signatures, and supported cipher suites updated to include ECDH key exchange and AES GCM and CCM modes. Some scripts are included to allow users to generate their own certificates if desired. Signed-off-by: Matt Rodgers <mrodgers@witekio.com>
95 lines
2.2 KiB
Plaintext
95 lines
2.2 KiB
Plaintext
# General config
|
|
CONFIG_MAIN_STACK_SIZE=3072
|
|
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
|
|
CONFIG_SHELL=y
|
|
CONFIG_LOG=y
|
|
CONFIG_ENTROPY_GENERATOR=y
|
|
CONFIG_TEST_RANDOM_GENERATOR=y
|
|
CONFIG_INIT_STACKS=y
|
|
CONFIG_ZVFS_OPEN_MAX=32
|
|
CONFIG_POSIX_API=y
|
|
CONFIG_FDTABLE=y
|
|
CONFIG_ZVFS_POLL_MAX=32
|
|
|
|
# Eventfd
|
|
CONFIG_EVENTFD=y
|
|
|
|
# Networking config
|
|
CONFIG_NETWORKING=y
|
|
CONFIG_NET_IPV4=y
|
|
CONFIG_NET_IPV6=y
|
|
CONFIG_NET_TCP=y
|
|
CONFIG_NET_SOCKETS=y
|
|
CONFIG_NET_CONNECTION_MANAGER=y
|
|
CONFIG_NET_SHELL=y
|
|
CONFIG_NET_STATISTICS=y
|
|
CONFIG_NET_STATISTICS_USER_API=y
|
|
CONFIG_NET_LOG=y
|
|
|
|
# JSON
|
|
CONFIG_JSON_LIBRARY=y
|
|
|
|
# HTTP parser
|
|
CONFIG_HTTP_PARSER_URL=y
|
|
CONFIG_HTTP_PARSER=y
|
|
CONFIG_HTTP_SERVER=y
|
|
CONFIG_HTTP_SERVER_WEBSOCKET=y
|
|
|
|
# Network buffers
|
|
CONFIG_NET_PKT_RX_COUNT=16
|
|
CONFIG_NET_PKT_TX_COUNT=16
|
|
CONFIG_NET_BUF_RX_COUNT=128
|
|
CONFIG_NET_BUF_TX_COUNT=128
|
|
CONFIG_NET_CONTEXT_NET_PKT_POOL=y
|
|
|
|
# IP address options
|
|
CONFIG_NET_IF_UNICAST_IPV6_ADDR_COUNT=3
|
|
CONFIG_NET_IF_MCAST_IPV6_ADDR_COUNT=4
|
|
CONFIG_NET_MAX_CONTEXTS=32
|
|
CONFIG_NET_MAX_CONN=32
|
|
|
|
# Network address config
|
|
CONFIG_NET_CONFIG_SETTINGS=y
|
|
CONFIG_NET_CONFIG_NEED_IPV4=y
|
|
CONFIG_NET_CONFIG_NEED_IPV6=y
|
|
CONFIG_NET_CONFIG_MY_IPV4_ADDR="192.0.2.1"
|
|
CONFIG_NET_CONFIG_PEER_IPV4_ADDR="192.0.2.2"
|
|
CONFIG_NET_CONFIG_MY_IPV4_GW="192.0.2.2"
|
|
CONFIG_NET_CONFIG_MY_IPV6_ADDR="2001:db8::1"
|
|
CONFIG_NET_CONFIG_PEER_IPV6_ADDR="2001:db8::2"
|
|
|
|
# TLS configuration
|
|
CONFIG_MBEDTLS=y
|
|
CONFIG_MBEDTLS_BUILTIN=y
|
|
CONFIG_MBEDTLS_ENABLE_HEAP=y
|
|
CONFIG_MBEDTLS_HEAP_SIZE=60000
|
|
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
|
|
CONFIG_MBEDTLS_USE_PSA_CRYPTO=n
|
|
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
|
|
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
|
|
CONFIG_TLS_CREDENTIALS=y
|
|
CONFIG_TLS_MAX_CREDENTIALS_NUMBER=5
|
|
CONFIG_MBEDTLS_ECDH_C=y
|
|
CONFIG_MBEDTLS_ECDSA_C=y
|
|
CONFIG_MBEDTLS_ECP_C=y
|
|
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
|
|
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
|
|
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
|
|
CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
|
|
CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
|
|
|
|
# Networking tweaks
|
|
# Required to handle large number of consecutive connections,
|
|
# e.g. when testing with ApacheBench.
|
|
CONFIG_NET_TCP_TIME_WAIT_DELAY=0
|
|
|
|
# Device drivers
|
|
CONFIG_GPIO=y
|
|
CONFIG_LED=y
|
|
|
|
# Network debug config
|
|
CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=n
|
|
CONFIG_NET_HTTP_LOG_LEVEL_DBG=n
|
|
CONFIG_NET_IPV6_LOG_LEVEL_DBG=n
|
|
CONFIG_NET_IPV6_ND_LOG_LEVEL_DBG=n
|