Skip to content

[GR-52698] Cannot run SSL debug logs with GraalVM native image #8564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
TharmiganK opened this issue Mar 13, 2024 · 7 comments
Closed

[GR-52698] Cannot run SSL debug logs with GraalVM native image #8564

TharmiganK opened this issue Mar 13, 2024 · 7 comments
Assignees
@fernando-valdez
Labels
bug

Comments

@TharmiganK
Copy link

TharmiganK commented Mar 13, 2024
edited
Loading

Describe the issue

I am trying to enable SSL debug logs by providing the -Djavax.net.debug=ssl flag with the native executable. But I am not getting any SSL logs

Steps to reproduce the issue

  1. Download the zip file from this link.

  2. Unzip the package

  3. Build the native executable for the https_client.jar in the target/bin directory.

     $ native-image -jar target/bin/https_client.jar --no-fallback -H:Path=target/bin

  4. Run the https_service.jar with SSL debug logs:

    $ java -Djavax.net.debug=ssl -jar ./target/bin/https_server.jar

  5. Run the client native executable with SSL debug logs:

    $ ./target/bin/https_client -Djavax.net.debug=ssl

Describe GraalVM and your environment:

  • GraalVM version : CE 17.0.9+9.1
  • JDK major version: 17
  • OS: macOS Sonoma
  • Architecture: ARM64
$ native-image --version

native-image 17.0.9 2023-10-17
GraalVM Runtime Environment GraalVM CE 17.0.9+9.1 (build 17.0.9+9-jvmci-23.0-b22)
Substrate VM GraalVM CE 17.0.9+9.1 (build 17.0.9+9, serial gc)

More details

Related slack thread: https://graalvm.slack.com/archives/CN9KSFB40/p1710326823711189?thread_ts=1710171443.562749&cid=CN9KSFB40

Tried to initialise sun.security.ssl.SSLLogger at runtime but it did not work the following error is returned:

$ native-image -jar target/bin/https_client.jar --no-fallback --initialize-at-run-time=sun.security.ssl.SSLLogger -H:+ReportExceptionStackTraces -H:Path=target/bin
Error: Incompatible change of initialization policy for sun.security.ssl.SSLLogger: trying to change RUN_TIME from command line with 'sun.security.ssl.SSLLogger' to RERUN for reading properties at run time
com.oracle.svm.core.util.UserError$UserException: Incompatible change of initialization policy for sun.security.ssl.SSLLogger: trying to change RUN_TIME from command line with 'sun.security.ssl.SSLLogger' to RERUN for reading properties at run time
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.UserError.abort(UserError.java:73)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insertRec(ClassInitializationConfiguration.java:103)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insertRec(ClassInitializationConfiguration.java:117)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insertRec(ClassInitializationConfiguration.java:117)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insertRec(ClassInitializationConfiguration.java:117)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insertRec(ClassInitializationConfiguration.java:117)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insert(ClassInitializationConfiguration.java:64)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ProvenSafeClassInitializationSupport.rerunInitialization(ProvenSafeClassInitializationSupport.java:162)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.SecurityServicesFeature.lambda$duringSetup$1(SecurityServicesFeature.java:309)
        at java.base/java.util.Optional.ifPresent(Optional.java:178)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.SecurityServicesFeature.duringSetup(SecurityServicesFeature.java:309)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.lambda$setupNativeImage$16(NativeImageGenerator.java:938)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.FeatureHandler.forEachFeature(FeatureHandler.java:89)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.setupNativeImage(NativeImageGenerator.java:938)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.doRun(NativeImageGenerator.java:579)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.run(NativeImageGenerator.java:539)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGeneratorRunner.buildImage(NativeImageGeneratorRunner.java:408)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGeneratorRunner.build(NativeImageGeneratorRunner.java:612)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGeneratorRunner.start(NativeImageGeneratorRunner.java:134)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGeneratorRunner.main(NativeImageGeneratorRunner.java:94)
@TharmiganK TharmiganK added the bug label Mar 13, 2024
@fernando-valdez fernando-valdez self-assigned this Mar 14, 2024
@fernando-valdez fernando-valdez changed the title Cannot run SSL debug logs with GraalVM native image [GR-52698] Cannot run SSL debug logs with GraalVM native image Mar 14, 2024
@fernando-valdez
Copy link
Member

Created internal ticket: GR-52698

@Bhashinee Bhashinee mentioned this issue Mar 20, 2024
Closed
@fernando-valdez
Copy link
Member

Hello @TharmiganK, please try to replace --initialize-at-run-time=sun.security.ssl.SSLLogger with --initialize-at-build-time=sun.security.ssl.SSLLogger and share your result

@TharmiganK
Copy link
Author

Hello @TharmiganK, please try to replace --initialize-at-run-time=sun.security.ssl.SSLLogger with --initialize-at-build-time=sun.security.ssl.SSLLogger and share your result

@fernando-valdez Getting a similar error: (This is with GraalVM CE 17.0.9+9.1)

$ native-image -jar target/bin/https_client.jar --no-fallback -H:Path=target/bin --initialize-at-build-time=sun.security.ssl.SSLLogger -H:+ReportExceptionStackTraces

========================================================================================================================
GraalVM Native Image: Generating 'https_client' (executable)...
========================================================================================================================
[1/8] Initializing...
                                                                                    (0.0s @ 0.19GB)
Error: Incompatible change of initialization policy for sun.security.ssl.SSLLogger: trying to change BUILD_TIME from command line with 'sun.security.ssl.SSLLogger' to RERUN for reading properties at run time
com.oracle.svm.core.util.UserError$UserException: Incompatible change of initialization policy for sun.security.ssl.SSLLogger: trying to change BUILD_TIME from command line with 'sun.security.ssl.SSLLogger' to RERUN for reading properties at run time
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.UserError.abort(UserError.java:73)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insertRec(ClassInitializationConfiguration.java:103)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insertRec(ClassInitializationConfiguration.java:117)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insertRec(ClassInitializationConfiguration.java:117)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insertRec(ClassInitializationConfiguration.java:117)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insertRec(ClassInitializationConfiguration.java:117)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ClassInitializationConfiguration.insert(ClassInitializationConfiguration.java:64)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.classinitialization.ProvenSafeClassInitializationSupport.rerunInitialization(ProvenSafeClassInitializationSupport.java:162)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.SecurityServicesFeature.lambda$duringSetup$1(SecurityServicesFeature.java:309)
        at java.base/java.util.Optional.ifPresent(Optional.java:178)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.SecurityServicesFeature.duringSetup(SecurityServicesFeature.java:309)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.lambda$setupNativeImage$16(NativeImageGenerator.java:938)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.FeatureHandler.forEachFeature(FeatureHandler.java:89)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.setupNativeImage(NativeImageGenerator.java:938)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.doRun(NativeImageGenerator.java:579)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGenerator.run(NativeImageGenerator.java:539)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGeneratorRunner.buildImage(NativeImageGeneratorRunner.java:408)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGeneratorRunner.build(NativeImageGeneratorRunner.java:612)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGeneratorRunner.start(NativeImageGeneratorRunner.java:134)
        at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.NativeImageGeneratorRunner.main(NativeImageGeneratorRunner.java:94)
------------------------------------------------------------------------------------------------------------------------
                        0.5s (9.2% of total time) in 17 GCs | Peak RSS: 0.68GB | CPU load: 2.84
========================================================================================================================
Finished generating 'https_client' in 4.7s.

@TharmiganK
Copy link
Author

@fernando-valdez any update on this issue?

@aanavaneeth
Copy link

Is there any issue with features leveraging jvm arguments in general? I am facing Kerberos related issue which depends on a jvm argument. #8674

@TharmiganK
Copy link
Author

@fernando-valdez Any update on this issue? This is required to debug production issues with GraalVM native images?

@gingk1212
Copy link

When I tested using the following code, it seemed that -Djavax.net.debug=ssl was working in my environment (Linux x64).

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;

public class SSLDebugSample {
  public static void main(String[] args) {
    try {
      URL url = URI.create("https://www.example.com").toURL();
      HttpURLConnection connection = (HttpURLConnection) url.openConnection();
      connection.setRequestMethod("GET");
      try (BufferedReader in =
          new BufferedReader(new InputStreamReader(connection.getInputStream()))) {
        while (in.readLine() != null);
      }
      System.out.println("Request completed successfully.");
    } catch (Exception e) {
      e.printStackTrace();
    }
  }
}

Command:

$ javac SSLDebugSample.java
$ native-image SSLDebugSample --enable-url-protocols=https --no-fallback
$ ./ssldebugsample -Djavax.net.debug=ssl
javax.net.ssl|DEBUG|10|main|2025-01-15 01:19:57.293 JST|Utilities.java:74|the previous server name in SNI (type=host_name (0), value=www.example.com) was replaced with (type=host_name (0), value=www.example.com)
javax.net.ssl|DEBUG|10|main|2025-01-15 01:19:57.420 JST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|10|main|2025-01-15 01:19:57.420 JST|SSLCipher.java:2024|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|10|main|2025-01-15 01:19:57.422 JST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|10|main|2025-01-15 01:19:57.422 JST|SSLCipher.java:2024|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
Request completed successfully.

With no flag:

$ ./ssldebugsample
Request completed successfully.

Version:

$ java -version
java version "17.0.13" 2024-10-15 LTS
Java(TM) SE Runtime Environment Oracle GraalVM 17.0.13+10.1 (build 17.0.13+10-LTS-jvmci-23.0-b49)
Java HotSpot(TM) 64-Bit Server VM Oracle GraalVM 17.0.13+10.1 (build 17.0.13+10-LTS-jvmci-23.0-b49, mixed mode, sharing)

I hope this information is helpful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fernando-valdez fernando-valdez

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aanavaneeth @gingk1212 @fernando-valdez @TharmiganK