search

intel / sgx-ra-sample

Other
178 stars 65 forks source link

Problem running sample on Windows #39

Closed tfmeneses closed 4 years ago

tfmeneses commented 4 years ago

Hi, When I try to run the sample, I'm got this error:

---- IAS sigrl HTTP Request ------------------------------------------------ HTTP GET https://test-as.sgx.trustedservices.intel.com/attestation/sgx/v3/sigrl/00000b3b

  • Trying 34.226.8.58...
  • Connected to test-as.sgx.trustedservices.intel.com (34.226.8.58) port 443 (#0)
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: C:\Program Files\cURL\bin\curl-ca-bundle.crt CApath: none
  • Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443
  • Closing connection 0 Could not query IAS could not retrieve the sigrl error processing msg1

Can somebody help me?

jmechalas commented 4 years ago

Based on this it is probably dying during the key exchange. One of the side effects of allowing self-signed certificates in the development environment is that a large number of certificate headers get sent during the handshake so that the client (in this case, the service provider) can detect and identify its own among the list. It seems the Windows HTTPS stack doesn't like this huge transaction, which can be over 64k in size. The curl agent we were using before didn't have this issue, but it was also an old code branch and we had trouble finding modern builds that integrated with Visual Studio (without forcing a bunch of additional requirements on the end user, like a MinGW environment).

I suggest running the service provider on a Linux system at least for dev/test. The production environment doesn't have this issue because it does not accept self-signed certificates.

jmechalas commented 4 years ago

Just released v3.1 of the sample. Back in v3.0 we did away with curl and moved to v3 of the attestation API which is based on API management instead of client certificates. I suggest you update your code base, get an API key, and use that approach. It doesn't suffer from the self-signed certificate problems that the earlier instances of IAS used.