Re: Jabber for Android prompting to verify certificates issued by internal CA

sjdamme · ‎08-13-2019

We are testing Jabber version 12.6 in phone-only mode on some devices running Android 8 (Oreo). The devices are on our internal network. Our CUCM and CUC servers have certificates issued by our internal CA. They are multi-server certs with a SAN for each node in the cluster. (We have an XMPP multi-server cert as well, but that's inconsequential for phone-only mode). When Jabber for Android connects to the CUCM or CUC server it prompts to Verify Certificate saying "Cisco Jabber cannot confirm the identity of this server. Do you want to Continue?" It includes information about the server name it doesn't recognize which we can confirm is one of the SANs in the multi-server cert and it references the name of the multi-server cert, that it was issued by our internal intermediate CA and that it still has a valid date. We have loaded our internal root CA and intermediate CA certificates into the Android key store via our MDM and also via a sideload (as recommended in the Jabber deployment guide - https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/12_6/cjab_b_on-prem-deployment-cisco-jabber_12-6/cjab_b_on-prem-deployment-cisco-jabber_12-6_chapter_01110.html ). We get the cert warning with the MDM pushed or sideloaded CA certs.

I have found several sources that indicate that beginning with Android 7 (Nougat) the Android OS no longer trusts CA certs that the end user loads even though it displays them in the User section of Trusted Credentials (Settings -> Security & location -> Encryption & credentials -> Trusted Credentials). Those same sources indicate you can root the device and install your internal CA cert into the System section of the Trusted Credentials and then it will work, but we don't want to have root hundreds of devices to achieve this. We found an older device running Android 6, loaded our internal CA certs into the User Trusted Credentials and did *not* get the the certificate warning, so this does seem related to the newer version of Android. Has anyone else encountered this issue on Jabber for Android and found a clever workaround?

sjdamme · ‎08-23-2019

Posting an update on this to hopefully save some effort for others who run across this issue. I opened a TAC case and they confirmed this is a limitation with Android that Google introduced in Android 7.0. In the course of troubleshooting some other Jabber for Android issues I also found this in the Jabber for Android 12.6 Release Notes (https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Android/12_6/jaba_b_release-notes_12-6.html) :

Limitations and Restrictions

Limitations

The following limitations apply to all devices:

Jabber always displays notifications for invalid certificates on Android 7.0 and later, even for installed custom CA-signed certificates on the Android OS. Apps that target Android 7.0 only trust system-provided certificates and no longer trust user-added Certificate Authorities.

I find this extremely frustrating since issuing the UCM certs from a public CA should not be necessary and training our users to click through a certificate warning is terrible security practice. Thanks a lot, Google.