A port of the SSL module of Apache to Intel SGX. The performance penalty is around 90% of the normal module.
I highly recommend the use of my custom OpenSSL Engine for the following reasons:
- Almost no performance penalty relative to the normal implementation
- Private keys are still kept private
- Easier to keep the SSL module up to date
- Not limited to a single process
- Not reliant on WolfSSL's compatability with OpenSSL
One big advantage of this version is that it keeps the TLS termination inside the enclave but it might not be relevant in most contexts because a malicious attacker with access to the machine can for example check the contents of the sent and receives messages on the read and write handles of Apache
- An Intel SGX capable CPU
- Intel(R) Software Guard Extensions for Linux* OS
- WolfSSL compiled for SGX
- Patch WolfSSL with the following changes
- OpenSSL 1.1+
- Download and Compile WolfSSL for SGX with supplied changes
- Set WolfSSL_ROOT to the root of WolfSSL folder
- Edit
Apache_Include_Paths
in the filesgx_u.mk
so that it points to the include dir of Apache. - Run
make
in the root of this git - Copy the
mod_ssl_sgx.so
binary to the modules folder in apache - Copy the enclave file
Enclave.signed.so
to the same folder as the apache binary