In grpc/grpc#16727, there are several scenarios in which there is a grpclb balancer using plain TLS creds. The client is expected to find the balancer, get a backend, and complete an RPC to the backend all over plain TLS. Go and C++ pass this test but Java doesn't.

It appears that the root cause is that grpc-java includes the trailing period in it's host name passed to SNI. I dumped the SSL handshake between the java client and the balancer, and the java client sends an initial ClientHello with an SNI extension having a host name of balancer.test.google.fr. (note the trailing period). This is unlike C++ and Go, which don't include the trailing period in the SNI hostname. The balancer SSL handshaker responds by aborting the handshake with an ssl_unexpected_message alert. Since trailing periods are invalid by SNI spec, I think that the java client needs to strip any trailing periods of resolved balancer names in SRV records. For example, java passes the "grpclb with plain TLS" test with this hack