Starting from Monkey v1.6, we distribute the mbedTLS library as part of our sources, but that dependency is just build if you enable the TLS plugin. The library will be linked statically.
If for some reason you want to use a different mbedTLS library , you can use the optional --mbedtls-shared configure script option for that purpose or it equivalent -DWITH_MBEDTLS_SHARED=1 CMake option.
Enable TLS support in Monkey is a straightforward step, you only need to tell Monkey to include the TLS plugin in the build phase:
$ ./configure --enable-plugins=tls $ make
In case you want to build your own mbedTLS library and keep it on a different path, please refer to the following steps:
$ wget wget https://tls.mbed.org/download/latest-stable $ tar xvzf mbedtls-2.*
By default only the static library version is built, but we need the shared library. To start configuring and building do:
$ cd mbedtls-2.* $ cmake -DUSE_SHARED_MBEDTLS_LIBRARY=on . $ make $ make install
then let Monkey use that shared library version:
$ ./configure --enable-plugins=tls --mbedtls-shared $ make
If the plugin have not been built in static mode (check with '$ monkey -b'), you can enable the TLS plugin through the follow the steps mentioned on Plugins section. The plugin name is monkey-tls.so, so make sure the plugin entry is Load and the absolute path is correct.
As specified on the Server configuration section, the Listeners are the ones who use this plugin interface. To enable SSL/TLS on a listener just append the ssl keyword at the end of the Listener definition. This is an example from conf/monkey.conf:
[SERVER] Listen 443 ssl
With that setup, we have instructed that the Listener on TCP port 443 will use our TLS plugin that provides ssl capabilities.
You may also want to edit the TLS plugin settings to use your own certificate files. The configuration file is located at conf/plugins/tls/tls.conf. The default options are given below.
[SSL] CertificateFile srv_cert.pem CertificateChainFile srv_cert_chain.pem RSAKeyFile rsa_key.pem DHParameterFile dhparam.pem
The minimum requirement to make HTTPS works is to set CertificateFile and RSAKeyFile, but for development purposes no changed are needed as built-in cert files may be used instead. Setting CertificateChainFile is recommended to speed up the handshake process.
The mandatory certificate and RSA key can be generated with the following command using the OpenSSL tool:
$ openssl genrsa -out rsa_key.pem 1024 $ openssl req -new -x509 -key rsa_key.pem -out srv_cert.pem -days 1095
To generate a file with Diffie-Hellman parameters you can run:
$ openssl dhparam -out dhparam.pem 2048
Monkey is now able to serve content over SSL. Add your files to the DocumentRoot and start the Monkey!.