search

ccc-certifier-framework / certifier-framework-for-confidential-computing

The Confidential Computing Certifier Framework consists of a client API called the Certifier-API and server-based policy evaluation called the Certifier Service. It simplifies and unifies programming and operations support for multi-vendor Confidential Computing platforms by providing support for scalable, policy-driven trust management including
Apache License 2.0
56 stars 16 forks source link

Cannot create an SSL connection using secure authenticated channel #256

Open atulfj opened 1 month ago

atulfj commented 1 month ago

I am trying to write an application using the current Certifier API. I was able to perform cold_init() and also solve an earlier error with certify_me() by generating new provisioned files. However, I have encountered another error during the initiation of an SSL connection. Following are the error messages:

From server side: server_channel_accept_and_auth() error, line 3395, Can't SSL_accept connection, res=-1 Accept error(a00041b, 1051): SSL routines SSL_ERROR_ZERO_RETURN: zero return error

From client side: init_client_ssl() error, line 3266, ssl_connect failed, ret=-1, err=1: SSL_ERROR_SSL: generic ssl error cannot init SSL channel as client

Initially I thought it was an issue with expired or invalid root certificates. After studying the certifier framework, I got the understanding that the arguments of cc_trust_manager::init_policy_key() are used as SSL certificates. So, I used embed_policy_key.exe --input=policy_cert_file.bin --output=policy_key.cc to generate a new certificate. However, the error remains persistent even after doing this.

I would appreciate any insight into this problem. Is there any step that I have missed, or am I doing something wrong that's why the SSL_accept() is failing?

gapisback commented 1 week ago

HI, @atulfj -- Sorry about the delay in responding.

Have you tried to go thru our sample apps programs to model the development of your code?

The example_app.cc in common/ dir is the canonical way we expect applications to be written.

Also the sample_apps/run_example.sh driver script is useful to run these sample apps. Did you get a chance to do that, and go thru its steps to figure out what certificate and other setup stuff you need to do in order to get the sample-app to work?

If you haven't already done so, I suggest you go thru the instructions in this README file and try out these commands, to exercise the steps to run the program in --dry-run mode.

That may give you some better insights on what you need to do to get your app working w.r.t. certificates and so on:

cd ./sample_apps

./run_example.sh --dry-run simple_app setup

./run_example.sh --dry-run simple_app run_test

Finally, if you can post some outputs from your setup steps you've taken, that might help some of the others on this group to debug your issue.

Cc: @jlmucb @yelvmw