Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default ssl context does not seem to be available in the native binary image #205

Open
mqw opened this issue May 30, 2019 · 2 comments
Open

Default ssl context does not seem to be available in the native binary image #205

mqw opened this issue May 30, 2019 · 2 comments
Assignees
@acogoluegnes
Labels
native-binary

Comments

@mqw
Copy link

mqw commented May 30, 2019

Hey, I can not get the binary to work with ssl, tried without --use-default-ssl-context also
# ./perf-test_linux_x86_64 --use-default-ssl-context -h 'amqps://user:pass@rabbit_host:5671/test_host?ssl_options=%7B%27certfile%27%3A+%27%2Froot%2Fcerts%2Fca_certificate.pem%27%2C+%27keyfile%27%3A+%27%2Froot%2Fcerts%2Fca_key.pem%27%7D' Main thread caught exception: java.security.NoSuchAlgorithmException: Default SSLContext not available [main] ERROR com.rabbitmq.perf.PerfTest - Main thread caught exception java.security.NoSuchAlgorithmException: Default SSLContext not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96) at com.rabbitmq.perf.PerfTest.getSslContextIfNecessary(PerfTest.java:419) at com.rabbitmq.perf.PerfTest.main(PerfTest.java:216) at com.rabbitmq.perf.PerfTest.main(PerfTest.java:408) at com.rabbitmq.perf.NativePerfTest.main(NativePerfTest.java:26)
Am I missing something here?
@acogoluegnes
Copy link
Collaborator

There hasn't been testing yet with native image and TLS. Considering the binary is statically built, it's not surprising TLS-related classes are not added automatically. I haven't studied GraalVM and TLS yet, hopefully there's some sort of support for it.

My suggestion would be to stick to the usual packaging or the Docker image for TLS support for now. Any suggestions or contributions are welcome.

@michaelklishin michaelklishin changed the title No default ssl context in binary Default ssl context does not seem to be available in the native binary image May 30, 2019
@acogoluegnes acogoluegnes self-assigned this Jun 4, 2019
@acogoluegnes
Copy link
Collaborator

acogoluegnes commented Jun 4, 2019
edited
Loading

Following up on this one. Most of the services provided by Java Cryptography Architecture (JCA) are not embedded by default in a native image. The --enable-all-security-services option can be used to change this and a PerfTest native binary built with this option manages to connect to RabbitMQ with TLS enabled. There are some caveats though:

  • the binary is now 25 MB instead of 15 MB.
  • the libsunec.so library (Sun Elliptic Curve crypto) must be available. Copying from GraalVM distribution to the same directory as the native image does the job.

The increased size is unfortunate but not dramatic. My main concern is the necessity to add a native library alongside the binary, which kind of kills the whole idea of a native, standalone binary.

So I was thinking of not adding TLS support yet to the native binary and adding this limitation into the documentation. Hopefully GraalVM's JCA support will improve and make it easier to use TLS without an extra native library. I already saw here and there some posts about experiments with other JCA providers than SunEC.

I keep this issue open for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@acogoluegnes acogoluegnes

Labels
native-binary
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@acogoluegnes @mqw