Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

gRPC Netty with TLS failing on Android API < 24

See original GitHub issue

What version of gRPC-Java are you using?

The current latest: 1.31.1, although it’s probably present in earlier versions.

What is your environment?

Android

What did you expect to see?

Being able to use NettyChannelBuilder with TLS negotiation type on Android devices with API levels 16+.

What did you see instead?

The client crashes with the following error on Android devices under API 24:

java.lang.NoSuchMethodError: No virtual method setEndpointIdentificationAlgorithm(Ljava/lang/String;)V in class Ljavax/net/ssl/SSLParameters; or its super classes (declaration of 'javax.net.ssl.SSLParameters' appears in /system/framework/core-libart.jar)"

This is the offending call: https://github.com/grpc/grpc-java/blob/master/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java#L350

SSLParameters#setEndpointIdentificationAlgorithm is only available in Android 24+.

Steps to reproduce the bug

Create a client gRPC Netty client with a TLS connection and try connecting to a server. Example:

TestServiceGrpc.newStub(
    NettyChannelBuilder
        .forAddress(InetSocketAddress("0.0.0.0", 1234))
        .useTransportSecurity()
        .build()
)

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

sdsantoscommented, Sep 3, 2020

Thanks for all the help. Might be worth adding this gotchas to the documentation. At least that client-side gRPC Netty is not working right now on Android API < 24.

1reaction

ericgribkoffcommented, Sep 2, 2020

@gnarea Great, thanks for the update.

We’re switching to OkHTTP since that’s what you recommend on Android anyway. That channel doesn’t call setEndpointIdentificationAlgorithm but presumably OkHTTP does because the host name is verified.

Correct, the OkHttp code was developed well before API 24, so hostname validation is done “manually” in the OkHttp code path itself.

Top Results From Across the Web

Java gRPC - TLS - how to set up mutual TLS on the client side?

Client-side configuration for Scenario 1: Use nettyChannelBuilder.usePlaintext(true) . This will disable TLS on the netty channel to grpc.

refs/tags/android-10.0.0_r43 - platform/external/grpc ... - Google Git

TLS usage typically requires using Java 8, or Play Services Dynamic Security Provider on Android. Please see the Security Readme. Join the chat...

Can someone give me an example with grpc-java and ssl ?

Exception: Failed ALPN negotiation: Unable to find compatible protocol. at io.grpc.netty.ProtocolNegotiators$BufferUntilTlsNegotiatedHandler.

Index (grpc-all 1.24.1 API) - Javadoc.io

Constructor for use by subclasses, with the default CallOptions . addListenAddress(SocketAddress) - Method in class io.grpc.netty.NettyServerBuilder. Adds an ...

grpc/grpc - Gitter

Are you on Android, using Proguard, using Bazel or Maven or Gradle? ... grpcurl succeeds but Python API client fails when hitting grpc...