Use SSLEngine.setApplicationProtocols() and SSLSocket.getApplicationProtocol() for Android Q #3980
Comments
|
For CloseGuard, we probably want to just delete the Android-specific overrides. We don’t particularly benefit from using CloseGuard instead of java.util.logging.Logger for configuration. |
|
@zjupure which version of OkHttp were you running? I couldn’t find the reflective call to |
|
the same problem hit me |
|
@swankjesse okhttp version in our app is 3.8.1 |
|
Strict mode now allows to have a stacktrace |
|
CloseGuard: https://issuetracker.google.com/issues/111149038 |
|
Nothing actionable here for now. |
I have these messages too. Google have filed an internal bug, so there will |
|
There is same problem .Any solution?
|
|
This is causing my app to hang about 900ms for the first https request, even though my call is made on a background thread. Is this normal? |
|
Are there any updates with ALPN methods? Are they going to be fixed? or don't? What is their status? Thanks! |
|
Google "deferred this issue for consideration in a future release" at Aug 10, 2018. I noticed the issue lately on Google Play's devices tests as part of the Beta channel Pre-launch report for a Google Pixel 2, Android 9. StrictMode policy violation: android.os.strictmode.NonSdkApiUsedViolation:
Ldalvik/system/CloseGuard;->warnIfOpen()V
at android.os.StrictMode.lambda$static$1(StrictMode.java:428)
at android.os.-$$Lambda$StrictMode$lu9ekkHJ2HMz0jd3F8K8MnhenxQ.accept(Unknown Source:2)
at java.lang.Class.getDeclaredMethodInternal(Native Method)
at java.lang.Class.getPublicMethodRecursive(Class.java:2075)
at java.lang.Class.getMethod(Class.java:2063)
at java.lang.Class.getMethod(Class.java:1690)
at okhttp3.internal.platform.AndroidPlatform$CloseGuard.get(AndroidPlatform.java:372)
at okhttp3.internal.platform.AndroidPlatform.<init>(AndroidPlatform.java:58)
at okhttp3.internal.platform.AndroidPlatform.buildIfSupported(AndroidPlatform.java:260)
at okhttp3.internal.platform.Platform.findPlatform(Platform.java:201)
at okhttp3.internal.platform.Platform.<clinit>(Platform.java:78)
at okhttp3.internal.platform.Platform.get(Platform.java:84)
at okhttp3.internal.tls.CertificateChainCleaner.get(CertificateChainCleaner.java:41)
at okhttp3.OkHttpClient$Builder.sslSocketFactory(OkHttpClient.java:694) |
|
From the issue:
And it looks like they’re here: |
swankjesse
changed the title
Any solution for this |
|
I suggest we close this ticket. We can adopt this for Android Q behind a version check, but it doesn't address all grey listed methods. Specifically we can't avoid OpenSSLSocketImpl.setUseSessionTickets and setHostname. n.b. We could make sure we are clean when users adopt either the Google Play Provider or Conscrypt. But that seems overkill and not likely to be adopted. |
|
I’d like to avoid reflection on Android devices that have public APIs for ALPN. And I’d like to keep this open but in the icebox for the closeguard stuff. |
|
Implications
https://developer.android.com/reference/android/net/SSLCertificateSocketFactory
https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLParameters.html
Plus calls to isCleartextTrafficPermitted variants based on Android version. I'm mostly confused about session tickets. Need to find an API here. |
|
thought experiment here https://github.com/square/okhttp/pull/5429/files Builds and passes Android device unit tests |
|
My rough plan would be to build an external module, targetted at JDK8 bytecode, but using Android (robolectric android-all JAR?) + JDK11 APIs (build JVM) with isAvailable methods etc. Strictly use this for all future APIs, such that okhttp can build and test against JDK8, but run with optional compiled functionality against Android Q etc. |
Did anyone find a solution for this? |
|
No short term plan if the usage of gray listed Android API is causing the delay. You should look into why there is a delay on those devices. You may want to make sure it's reported on the Google AOSP tickets, we can't fix those. I'm working on an approach to avoid most reflection, maybe for 4.3 or 4.4. But it won't avoid all calls Specifically we will always have OpenSSLSocketImpl.setUseSessionTickets done via reflection. The CloseGuard might be something we can make optional based on build mode. |
|
I cant believe that up until this day people who were making react-native apps were experiencing same problems on Android 9, or there are only 3 ppl worldwide who are still making react-native apps. There should be a way to bypass this issue somehow. |
|
If you are seeing the 900ms delay can you get some stacktraces or profiling of what it’s running during this time? It may be something we can trigger at better times (earlier before first active request) or we can avoid in other ways. |
|
I found out that my issue with errors was just a coincidence, right when I started testing my api endpoint Russian government decided to block my domain's CloudFlare proxy for no apparent reason. |
These APIs are used by okhttp which results in usage by a large number of apps. It's unclear if okhttp is the only user of these APIs. See also: square/okhttp#3980 Bug: 111170242 Test: m Change-Id: Ic84d417594a7b530292756527f5ea97d9f6b3c85
|
Regarding the methods of So some actions might need to be done before the final release for Android 11 (planned to be Q3 2020)? |
|
We should already be in a good spot for this. We now have clean code paths for Android, Conscrypt or the play provider. We can test ahead of the release and if needed introduce new version specific behaviour. |
|
@yschimke I see this issue is closed but I am still seeing these warnings. Do you have an update as to where this landed? |
I am also trying to figure out what this can be. Using react-native 0.62.2. |
|
This should be fixed in OkHttp 3.12.12 and 3.14.9 |
Same Problem |
|
@rajnish824 that's a benign warning that you can safely ignore. |
|
I have this problem , when I use retrofit and run app on Android 10 Accessing hidden method Ljava/lang/invoke/MethodHandles$Lookup;->(Ljava/lang/Class;I)V (greylist, reflection, allowed) 24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setHostname(Ljava/lang/String;)V (greylist,core-platform-api, reflection, allowed) 24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->getAlpnSelectedProtocol()[B (greylist,core-platform-api, reflection, allowed) 24808-24808 W/outinestutoria: Accessing hidden method Lcom/android/org/conscrypt/OpenSSLSocketImpl;->setAlpnProtocols([B)V (greylist,core-platform-api, reflection, allowed) 24808-24808 W/outinestutoria: Accessing hidden method Ldalvik/system/CloseGuard;->get()Ldalvik/system/CloseGuard; (greylist,core-platform-api, reflection, allowed) |
am getting the same issue while using 'com.squareup.retrofit2:retrofit:2.9.0' |
am getting the same issue while using 'com.squareup.retrofit2:retrofit:2.9.0' |
|
Those are warnings that are unavoidable, Android changes their policies over time and we build to support a wide range of Android versions. Nothing to do here. |
|
actually it is kind of Error not warning, It doesn't work on android 10 or above. I have no problem with Android api 26. I think it is comes form Non SDK libs. |
|
@Mohammad2416 are you running with 3.12.12 or 4.9.0? If not please upgrade, it does work with these versions so likely a problem or an old version. |
|
@yschimke thank you for follow up this Issue , the versions which i used are here :
|
|
Let's continue the discussion on stackoverflow |
okhttp use some reflection to config the network, such as ALPN, when run in android P, system will logcat the warning in the logcat.
see https://developer.android.com/preview/restrictions-non-sdk-interfaces.html for Android P behavior change
We look through okhttp source, and found the reflection are all in
AndroidPlatform.java.okhttp has some solution or workaround not to reflet system non-open api?
The text was updated successfully, but these errors were encountered: