GraalVM 1.0.0-RC7 adds HTTPS as a supported protocol, and this is a brief walkthrough for using it in a Clojure project with GraalVM Community Edition for macOS. See this example project for a demo.

How To

  1. Enable HTTPS protocol support with native-image options: --enable-https or --enable-url-protocols=https

  2. Configure path to libsunec (Sun Elliptic Curve crypto)

    This shared object comes with the GraalVM distribution and can be found at $GRAALVM_HOME/jre/lib/libsunec.[so|dylib]. GraalVM uses System.loadLibrary to load it at run-time whenever it’s first used. The file must either be in the current working directory, or in a path specified in Java system property java.library.path.

    I set the Java system property inside my application at run-time before first usage:

    (System/setProperty "java.library.path"
                    (str (System/getenv "GRAALVM_HOME") "/jre/lib"))

    See this and this for more information on HTTPS support in GraalVM and native images. If you’re distributing a native image, you’ll need to include libsunec. If it’s in the same directory as your image you don’t need to set java.library.path.

    You’ll see a warning at run-time if this hasn’t been properly configured:

    WARNING: The sunec native library could not be loaded.

  3. Use more complete certificate store

    GraalVM comes with a smaller set of CA certificates. For reasons they cannot yet distribute the Oracle JDK root certificates. You can workaround this by replacing GraalVM’s cacerts. I renamed the file and replaced it with a symbolic link to cacerts from the JRE that comes with macOS Mojave:

    $ mv $GRAALVM_HOME/jre/lib/security/cacerts $GRAALVM_HOME/jre/lib/security/cacerts.bak
$ ln -s $(/usr/libexec/java_home)/jre/lib/security/cacerts $GRAALVM_HOME/jre/lib/security/cacerts

    If you don’t do this, you might see such horrors as this when attempting HTTPS connections:

    Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
8<------------------------
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
8<------------------------
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target