CODEWITHSUNDEEP
androidssltls1.2grpcgrpc-java
denizen
denizen

Reputation: 469

Dealing with TLS on gRPC

I am connecting to a server which has TLS support with SSL certs. I am getting a SSL Handshake error on Android app client. I also use useTransportSecurity() to deal with TLS negotiation type. Is there any workaround to get away with this error without certificate pinning?

Error encountered:

Caused by: java.lang.RuntimeException: protocol negotiation failed

    at io.grpc.okhttp.OkHttpProtocolNegotiator.negotiate(OkHttpProtocolNegotiator.java:96)

    at io.grpc.okhttp.OkHttpProtocolNegotiator$AndroidNegotiator.negotiate(OkHttpProtocolNegotiator.java:147)

    at io.grpc.okhttp.OkHttpTlsUpgrader.upgrade(OkHttpTlsUpgrader.java:63)

    at io.grpc.okhttp.OkHttpClientTransport$2.run(OkHttpClientTransport.java:474)

    at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162) 

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636) 

    at java.lang.Thread.run(Thread.java:764)

And this is how I generate my channel :

ManagedChannel mChannel = OkHttpChannelBuilder.forAddress(host, port)
        .useTransportSecurity()
        .build();



Appreciate your time and help.

Upvotes: 0

Views: 3483

Answers (3)

denizen
denizen

Reputation: 469

Answering my own question.

This error comes from the ALPN TLS extension, which I needed my SSL endpoint to support. I was using NPN, and that is why I was unable to connect.

Posted by Carl Mastrangelo in grpc.io google groups

Upvotes: 0

Eric Anderson
Eric Anderson

Reputation: 26394

ALPN is failing during the TLS handshake, which prevents gRPC from negotiating HTTP/2. Either you aren't connecting to a gRPC / HTTP/2 server or your client's TLS library is too old.

Please review the SECURITY.md documentation. Namely, you probably want to "install" the Play Services Dynamic Security Provider into the runtime when your app starts.

Upvotes: 1

Martin Zeitler
Martin Zeitler

Reputation: 76569

it might be rather a matter how you create the server; see SECURITY.md for Mutual TLS ...

Server server = NettyServerBuilder.forPort(8443)
    .sslContext(GrpcSslContexts.forServer(certChainFile, privateKeyFile)
    .trustManager(clientCAsFile)
    .clientAuth(ClientAuth.REQUIRE)
    .build());

Upvotes: 0

Related Questions