You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have two options to open a tls ws connection from the enclave to outside (and vice versa):
Open the socket entirely within the enclave. This if most likely the most secure option. However, we can not spawn new threads to process the messages. Examples can be found here for the server and the client.
We open up the TCP connection and do the mio polling of the stream outside of the enclave. This way we can spawn a new thread whenever a message is received. The ws handshake handling (TLS cipher suite decision, authentication (SSL certificate) and key generation) will be done within the enclave. Therefore, even though the worker is in charge of forwarding the messages (from and to the enclave), it can not decipher it.. a necessary man in the middle so to say. I have not yet tested the thread spawning but I will do so next week.
A relatively poorly documented example can be found here:
The enclave counter part can be found here but do not take this as a reference - its a poorly programmed ws client not using tls. It will eventually be replaced by the TLS client.
If we go with option 2, we should probably provide some kind of interface or template for future implementations.. it's not really trivial to implement and uses up to 5 (?) different ecalls.
The text was updated successfully, but these errors were encountered:
It seems to me that (2) is the only option that allows the architecture we're envisioning because we need multithreaded rpc to get the throughput we're aiming for
We have two options to open a tls ws connection from the enclave to outside (and vice versa):
Open the socket entirely within the enclave. This if most likely the most secure option. However, we can not spawn new threads to process the messages. Examples can be found here for the server and the client.
We open up the TCP connection and do the mio polling of the stream outside of the enclave. This way we can spawn a new thread whenever a message is received. The ws handshake handling (TLS cipher suite decision, authentication (SSL certificate) and key generation) will be done within the enclave. Therefore, even though the worker is in charge of forwarding the messages (from and to the enclave), it can not decipher it.. a necessary man in the middle so to say. I have not yet tested the thread spawning but I will do so next week.
A relatively poorly documented example can be found here:
I've tried to do a better job with the documentation, though I'm pretty sure the quality decreased over time:
If we go with option 2, we should probably provide some kind of interface or template for future implementations.. it's not really trivial to implement and uses up to 5 (?) different ecalls.
The text was updated successfully, but these errors were encountered: