SSL/TLS connection fails for certain certificates in GraalVM native image (works with JAR on Java 17) #263
Description
To upvote this issue, give it a thumbs up. See this list for the most upvoted issues.
Describe the bug
Environment
- Local Java version: zulu-17
- OS: Windows 11 using eca.exe
- Editor:Emacs
HTTPS connections work for some endpoints but fail for others when using the native-compiled executable. The same code works perfectly when running the JAR with Java 17.
Error: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Failing**: Endpoints with RSA-4096 + TLS 1.3 certificates
Certificate details of failing endpoint
Subject: CN=api.xyz, O=xyz
Issuer: CN=DigiCert G5 TLS RSA4096 SHA384 2021 CA1
Public Key: RSA 4096 bit
Signature Algorithm: sha256WithRSAEncryption
TLS Version: TLSv1.3
Cipher Suite: TLS_AES_256_GCM_SHA384
Root cause hypothesis (LLM :-) )
The native image likely lacks necessary security providers for:
- TLS 1.3 support
- SHA-384 digest algorithm
- RSA-4096 public key handling
- AES-256-GCM cipher suite
When running as JAR, Java's JCE dynamically loads all security providers from $JAVA_HOME/lib/security/java.security. Native image compilation statically bundles only providers detected at build time.
Proposed fix
Add to native-image.properties:
--enable-https \
--enable-all-security-services \
-H:+JNI \
--initialize-at-build-time=sun.security.provider.NativePRNGAlternatively, for more control:
--initialize-at-build-time=sun.security.jca.JCAUtil \
--initialize-at-build-time=javax.crypto.Cipher \
--initialize-at-run-time=sun.security.jca.ProvidersSorry that i can't give more detailed information or direct fixes. I'm not familiar with java.
thx for your great work