Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firestore can not connect to server when using firebase-firestore and firebase-inappmessaging-display in same project in KitKAT #244

Closed
rakeshdausa opened this issue Feb 15, 2019 · 17 comments
Assignees

Comments

@rakeshdausa
Copy link

rakeshdausa commented Feb 15, 2019

Hi,
I am using firestore in my project from last 3 months and it was working perfectly in All Kitkat devices but now i Integrated firebase-inappmessaging-display also and firestore stops working in kitkat devices with following error

W/Firestore: (0.6.6-dev) [OnlineStateTracker]: Could not reach Cloud Firestore backend. Connection failed 1 times. Most recent error: Status{code=UNAVAILABLE, description=null, cause=javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5d404a18: Failure in SSL library, usually a protocol error
    error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available (external/openssl/ssl/s23_clnt.c:486 0x5d465d74:0x00000000)
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:448)
        at io.grpc.okhttp.OkHttpProtocolNegotiator.negotiate(OkHttpProtocolNegotiator.java:92)
        at io.grpc.okhttp.OkHttpProtocolNegotiator$AndroidNegotiator.negotiate(OkHttpProtocolNegotiator.java:147)
        at io.grpc.okhttp.OkHttpTlsUpgrader.upgrade(OkHttpTlsUpgrader.java:63)
        at io.grpc.okhttp.OkHttpClientTransport$2.run(OkHttpClientTransport.java:474)
        at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
        at java.lang.Thread.run(Thread.java:841)
     Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5d404a18: Failure in SSL library, usually a protocol error
    error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available (external/openssl/ssl/s23_clnt.c:486 0x5d465d74:0x00000000)
        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)
        	... 8 more
    }

following are the dependencies that I am using,

// Add the In-App Messaging dependency:
    implementation 'com.google.firebase:firebase-inappmessaging-display:17.0.5'
    implementation 'com.google.firebase:firebase-core:16.0.7'
    implementation 'com.google.firebase:firebase-auth:16.1.0'
    implementation 'com.google.firebase:firebase-analytics:16.3.0'
    implementation 'com.google.firebase:firebase-firestore:18.0.1'
    implementation 'com.google.firebase:firebase-storage:16.0.5'
    implementation 'com.google.firebase:firebase-dynamic-links:16.1.7'
    implementation 'com.google.firebase:firebase-messaging:17.3.4'
    implementation 'com.google.firebase:firebase-config:16.3.0'
@samtstern
Copy link
Contributor

@rakeshdausa Does Firestore fail 100% of the time for you? And if you remove Firebase In-App Messaging does the Firestore connection work immediately?

@rsgowman
Copy link
Member

I'm able to reproduce this. (I took the firestore quickstart, added "implementation 'com.google.firebase:firebase-inappmessaging-display:17.0.5'" and ran on a kitkat emulator. Once fiam is added, the firestore connection fails with the above stacktrace. The issue does not occur on my oreo emulator.)

@rsgowman rsgowman self-assigned this Feb 15, 2019
@samtstern
Copy link
Contributor

@rsgowman FIAM is built on OkHTTP while Firestore uses gRPC, could it be that those two share a common dependency and FIAM is pulling in the wrong version?

@rsgowman
Copy link
Member

Nothing immediately jumps out. Both depend on "com.squareup.okhttp:okhttp:2.7.5". Firestore additionally depends on some grpc components (1.16.1). But it's a good bet that somewhere around there is where the problem is.

Tracing through the code on a K emulator (and an L emulator, which works fine), I can see that all ssl connections end up going to io.grpc.okhttp.OkHttpProtocolNegotiator. In the negotiate() method, they both call sslSocket.startHandshake(). On K, this fails with the stacktrace. On L this succeeds. On K, both the FIAM and Firestore connections fail, so it's not just Firestore that's broken.

@rakeshdausa
Copy link
Author

@rakeshdausa Does Firestore fail 100% of the time for you? And if you remove Firebase In-App Messaging does the Firestore connection work immediately?

Yes

@rakeshdausa
Copy link
Author

Hey, Is there any way so I can just use both inappmessaging and firestore with some dependency exclude?

@rsgowman
Copy link
Member

Hi @rakeshdausa; Sorry about the slow response. This was a rather involved issue. The good news is that I think we've finally tracked down the root cause... But the bad news is that we don't have a solution just yet. I'll update here again as soon as I have more info.

@rsgowman
Copy link
Member

Ok; we've got this figured out. We'll work on getting a fix ready, but in the meantime, I've got a workaround that you can use to unblock yourself. I wouldn't recommend using this in a production app (at least, not without a little more cleanup) but it should be fine for development purposes.

The underlying issue is that Firestore and Functions can't agree as to which ciphers should be used. (Hence 'no ciphers available' in the stack trace.) We can fix that by overriding the set of ciphers that they use. One minor catch: Since firebase-inappmessaging gets loaded quite early, we need to set things up such that we do this override even earlier. We can use a ContentProvider for that.

  1. Create a ContentProvider that overrides the ciphers used via the ProviderInstaller.installIfNeeded() method:
package com.example.your.package.here;  

import android.content.ContentProvider;
import android.content.ContentValues;
import android.database.Cursor;
import android.net.Uri;
import android.support.annotation.Nullable;
import com.google.android.gms.security.ProviderInstaller;

public class TemporaryProviderInstallerProvider extends ContentProvider {

    @Override
    public boolean onCreate() {
        try {
            ProviderInstaller.installIfNeeded(getContext());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }

        return false;
    }

    /* The rest of the methods in this class are irrelevant and are only present to satisfy the abstract class requirements. */

    @Nullable
    @Override
    public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
        return null;
    }

    @Nullable
    @Override
    public String getType(Uri uri) {
        return null;
    }

    @Nullable
    @Override
    public Uri insert(Uri uri, ContentValues values) {
        return null;
    }

    @Override
    public int delete(Uri uri, String selection, String[] selectionArgs) {
        return 0;
    }

    @Override
    public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) {
        return 0;
    }
}
  1. Alter your AndroidManifests.xml to use this new provider:
<manifest ...>
    <application ...>
        <activity ...>
        </activity>

        ...

        <!-- Add this block -->
        <provider
            android:name="com.example.your.package.here.TemporaryProviderInstallerProvider"
            android:authorities="${applicationId}.temporaryproviderinstallerprovider"
            android:exported="false"
            android:initOrder="101"/>  <!-- must be greater than 100 -->

    </application>
</manifest>

That should do the trick. This should only be necessary for KitKat (and possibly earlier, though I haven't verified) though should be harmless on more recent versions.

This workaround largely depends on certain implementation details within Firebase as a whole, so it's not necessarily guaranteed to work going forward. So the best approach is to use this for now for development purposes, but then back it out once we've this fixed in our sdks. I'll keep this issue open, and then will post back here once we've done that.

Anyways, give this a try, and let me know if it works for you.

@wilhuff
Copy link
Contributor

wilhuff commented Mar 12, 2019

This will be fixed in a future release of In-App Messaging.

@rsgowman
Copy link
Member

This was fixed in version 17.1.1 of In-App Messaging, released 2019-03-27.

https://firebase.google.com/support/release-notes/android

@laszlo-major
Copy link

This fix actually manages to break crypto on Android 5.0 (probably 4.4) for other uses.

E/NativeCrypto: Could not sign message in EcdsaMethodDoSign!
A/art: art/runtime/check_jni.cc:65] JNI DETECTED ERROR IN APPLICATION: JNI FindClass called with pending exception 'java.lang.UnsupportedOperationException' thrown in unknown throw location
art/runtime/check_jni.cc:65] in call to FindClass
art/runtime/check_jni.cc:65] from byte[] com.google.android.gms.org.conscrypt.NativeCrypto.EVP_DigestSignFinal(com.google.android.gms.org.conscrypt.NativeRef$EVP_MD_CTX)
art/runtime/check_jni.cc:65] "main" prio=5 tid=1 Runnable
art/runtime/check_jni.cc:65] | group="main" sCount=0 dsCount=0 obj=0x743a3000 self=0xb5107800
art/runtime/check_jni.cc:65] | sysTid=5345 nice=-4 cgrp=apps sched=0/0 handle=0xb6fcfec8
art/runtime/check_jni.cc:65] | state=R schedstat=( 1447183733 209404692 1098 ) utm=126 stm=18 core=3 HZ=100
art/runtime/check_jni.cc:65] | stack=0xbe093000-0xbe095000 stackSize=8MB
art/runtime/check_jni.cc:65] | held mutexes= "mutator lock"(shared held)
art/runtime/check_jni.cc:65] native: #00 pc 00004640 /system/lib/libbacktrace_libc++.so (UnwindCurrent::Unwind(unsigned int, ucontext*)+23)
art/runtime/check_jni.cc:65] native: #1 pc 00002e8d /system/lib/libbacktrace_libc++.so (Backtrace::Unwind(unsigned int, ucontext*)+8)
art/runtime/check_jni.cc:65] native: #2 pc 0023f09d /system/lib/libart.so (art::DumpNativeStack(std::__1::basic_ostream<char, std::__1::char_traits >&, int, char const*, art::mirror::ArtMethod*)+68)
art/runtime/check_jni.cc:65] native: #3 pc 002245eb /system/lib/libart.so (art::Thread::Dump(std::__1::basic_ostream<char, std::__1::char_traits >&) const+146)
art/runtime/check_jni.cc:65] native: #4 pc 000afafb /system/lib/libart.so (art::JniAbort(char const*, char const*)+582)
art/runtime/check_jni.cc:65] native: #5 pc 000b0235 /system/lib/libart.so (art::JniAbortF(char const*, char const*, ...)+60)
art/runtime/check_jni.cc:65] native: #6 pc 000b3345 /system/lib/libart.so (art::ScopedCheck::ScopedCheck(_JNIEnv*, int, char const*)+1284)
art/runtime/check_jni.cc:65] native: #7 pc 000b4025 /system/lib/libart.so (art::CheckJNI::FindClass(_JNIEnv*, char const*)+20)
art/runtime/check_jni.cc:65] native: #8 pc 0000c6db /data/app/com.google.android.gms-1/lib/arm/libconscrypt_gmscore_jni.so (???)
art/runtime/check_jni.cc:65] native: #9 pc 0000cac7 /data/app/com.google.android.gms-1/lib/arm/libconscrypt_gmscore_jni.so (???)
art/runtime/check_jni.cc:65] native: #10 pc 0001065d /data/app/com.google.android.gms-1/lib/arm/libconscrypt_gmscore_jni.so (???)
art/runtime/check_jni.cc:65] native: #11 pc 02720c15 /data/dalvik-cache/arm/data@[email protected]@[email protected] (Java_com_google_android_gms_org_conscrypt_NativeCrypto_EVP_1DigestSignFinal__Lcom_google_android_gms_org_conscrypt_NativeRef_00024EVP_1MD_1CTX_2+100)
art/runtime/check_jni.cc:65] at com.google.android.gms.org.conscrypt.NativeCrypto.EVP_DigestSignFinal(Native method)
art/runtime/check_jni.cc:65] at com.google.android.gms.org.conscrypt.OpenSSLSignature.engineSign(:com.google.android.gms@[email protected] (020308-239467275):2)
art/runtime/check_jni.cc:65] at java.security.Signature$SignatureImpl.engineSign(Signature.java:659)
art/runtime/check_jni.cc:65] at java.security.Signature.sign(Signature.java:368)

@rsgowman
Copy link
Member

Hi @laszlo-major,

Could you share more details about what you're doing? A minimal app that reproduces the issue would be ideal, but elaborating on 'other uses' might be enough. I'd be curious as to your list of dependencies too.

@wilhuff
Copy link
Contributor

wilhuff commented Apr 16, 2019

In particular note that Firestore has been installing this crypto provider since it was released. The fix, such as it was, was to have firebase-inappmessaging-display do the same thing. We didn't change anything in Firestore.

@laszlo-major
Copy link

laszlo-major commented Apr 17, 2019

I am creating a JWT and signing it with ECDSA256 using https://github.com/jwtk/jjwt. Works fine until I upgrade inappmessaging, then throws the error above. I am not using firestore, I came to the Provider install conclusion based on https://groups.google.com/forum/#!msg/google-sites-api/SL4e-wddUlU/Wjq64N25EQAJ and the fact that updating inappmessaging from 17.0.4 to 17.1.1 causes the failure.

List of dependencies:

    def retrofitVersion = "2.4.0"
    implementation fileTree(include: ['*.jar'], dir: 'libs')
    implementation 'androidx.appcompat:appcompat:1.0.2'
    implementation 'com.google.android.material:material:1.0.0'
    implementation 'androidx.core:core:1.0.1'
    implementation 'androidx.media:media:1.0.1'
    implementation 'androidx.legacy:legacy-support-v4:1.0.0'
    implementation 'androidx.recyclerview:recyclerview:1.0.0'
    implementation 'androidx.cardview:cardview:1.0.0'
    implementation 'androidx.constraintlayout:constraintlayout:1.1.3'
    implementation 'com.jakewharton.timber:timber:4.7.1'
    implementation "com.squareup.okhttp3:okhttp:$okhttpVersion"
    implementation "com.squareup.okhttp3:logging-interceptor:$okhttpVersion"
    implementation "com.squareup.retrofit2:retrofit:$retrofitVersion"
    implementation "com.squareup.retrofit2:adapter-rxjava2:$retrofitVersion"
    implementation "com.squareup.retrofit2:converter-moshi:$retrofitVersion"
    implementation 'com.squareup.moshi:moshi-adapters:1.5.0'
    implementation 'io.reactivex.rxjava2:rxjava:2.2.3'
    implementation 'io.reactivex.rxjava2:rxandroid:2.1.0'
    implementation 'com.google.dagger:dagger-android:2.22.1'
    implementation 'com.google.dagger:dagger-android-support:2.22.1'
    // if you use the support libraries
    annotationProcessor 'com.google.dagger:dagger-android-processor:2.22.1'
    implementation 'com.google.dagger:dagger:2.22.1'
    annotationProcessor 'com.google.dagger:dagger-compiler:2.22.1'

    implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.8.1'

    //firebase
    implementation "com.google.firebase:firebase-core:16.0.8"
    implementation "com.google.firebase:firebase-messaging:17.5.0"
    implementation 'com.google.firebase:firebase-ml-vision:19.0.3'
    implementation 'com.google.firebase:firebase-inappmessaging-display:17.0.4' //don't update this, it breaks Android 5 https://github.com/firebase/firebase-android-sdk/issues/244
    implementation "com.google.android.gms:play-services-location:16.0.0"
    implementation "com.google.android.gms:play-services-nearby:16.0.0"

    implementation("androidx.work:work-runtime:2.0.1") {
        exclude group: 'com.google.guava', module: 'listenablefuture'
    }
    implementation 'pub.devrel:easypermissions:1.2.0'

    implementation 'androidx.browser:browser:1.0.0'

    implementation 'com.airbnb.android:lottie:3.0.0'
    implementation 'com.crashlytics.sdk.android:crashlytics:2.9.9'

    implementation 'androidx.navigation:navigation-fragment:2.0.0-rc02'
    implementation 'androidx.navigation:navigation-ui:2.0.0-rc02'
    implementation 'io.jsonwebtoken:jjwt-api:0.10.5'
    runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.10.5'
    runtimeOnly('io.jsonwebtoken:jjwt-orgjson:0.10.5')
    implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version"
    implementation "com.daimajia.swipelayout:library:1.2.0@aar"

    implementation 'com.jakewharton.rxbinding3:rxbinding-core:3.0.0-alpha2'
    implementation 'com.jakewharton.rxbinding3:rxbinding-appcompat:3.0.0-alpha2'
    implementation 'com.jakewharton.rxbinding3:rxbinding-material:3.0.0-alpha2'
    implementation 'me.xdrop:fuzzywuzzy:1.2.0'```

@Ahmednagyyy
Copy link

Ahmednagyyy commented May 17, 2019

@rakeshdausa

I was facing the same issue with FirebaseML kit, it was working for almost 6 months and suddenly it stopped to call any cloud vision or firebase ml cloud function, so I did this on my app start

fun initializeSSLContext(mContext: Context) {
        try {
            SSLContext.getInstance("TLSv1.2")
        } catch (e: NoSuchAlgorithmException) {
            e.printStackTrace()
        }
        try {
            ProviderInstaller.installIfNeeded(mContext.applicationContext)
        } catch (e: GooglePlayServicesRepairableException) {
            e.printStackTrace()
        } catch (e: GooglePlayServicesNotAvailableException) {
            e.printStackTrace()
        }
    }

Just call this function before any network calls and it will works probably

@faiza2666
Copy link

firebase google sign in authentication failed android:
whenever i sign in through gmail, it shows message "authentication went wrong" (which is displayed by toast message if GoogleSignInApi does not return result (is not success means not authenticate) then in that case it shows message that authentication failed (this chunk of code is written in onActivityResult method)

@var-const
Copy link
Contributor

@faiza2666 The failure you're describing appears to be unrelated to the issue in this thread. Can you please open a new issue for this? Additionally, please provide:

  • the exact error message;
  • the code you're using that's triggering the error (please make sure it contains no sensitive information before sharing).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

9 participants