cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
443
Views
0
Helpful
4
Replies
Highlighted
Beginner

Jabber for MAC - Certificate Warning post upgrade

Hi,

Recently we upgraded our UC environment from 9.1.2 to 11.5.1(SU1), this being CUCM/UCXN/IMP.

Since the upgrade to 11.5.1(SU1) we are experiencing certificate warnings on only Jabber for MAC clients, all other variations of Jabber appear to be working OK.

I can confirm that all CUCM/IMP and UCXN servers have valid SSL Certificates signed and installed by a public certificate authority, when browsing to all the individual CUCM/IMP/UCXN nodes i don't see any certificate errors in my browser.

The Jabber for MAC client we have been using is 11.8, but we have also tested with 11.6.

I've attached an extract from the Jabber.Log, this shows the process of the client checking the certificate.

Is it possible that the latest MAC client has extended security features and the certificate possibly isn't good enough?

Thanks, Simon

Everyone's tags (1)
4 REPLIES 4
Hall of Fame Cisco Employee

Do you already have the

Do you already have the server certificates in your trust store?

HTH

java

if this helps, please rate
Beginner

Jamie,

Jamie,

No the certificates are not already in the trust store.

We stood up new virtual machines of both Windows and MAC OS as a test (not added to the domain or custom built images), we found that windows could log in no problem without certificate prompt but MAC did get prompted to accept certificates.

The only other thing i can think of, is that we added additional subscribers that are signed with a newer certificate and the encryption is different.

- Original CUCM Certificates: PKCS #1 SHA-1 With RSA Encryption

- New CUCM Certificates: PKCS #1 SHA-256 With RSA Encryption

Could SHA-1 With RSA Encryption be causing this problem?

Thanks, Simon 

Beginner

Hi mate!

Hi mate!

The only thing I can think of that would only affect Mac is that the Mac doesn't have the same root/intermediary CA in the store as Windows.

Can't tell much with the anonamised logs, but if you view the server cert on the Mac is the cert chain okay?

If possible can you test on Windows on a non-domain PC with cleared out Jabber cache to confirm there's no additional published enterprise trust certs or previously accepted certs that might be mudding the waters and pushing you towards only Mac clients being affected.  I always found a locally running Win7 VM handy for this rather than relying on customer equipment.

From the J4Mac release notes SHA-1 is still good.

Adam

Beginner

Hi Mate,

Hi Mate,

Thanks for getting back to me, i've been doing some testing using a new windows VM (no custom build/hasn't been added to domain) and i don't get the certificate acceptance warning.

Apparently people have had the certificate warnings on android phones as well as MAC's now but IOS on iPhone appears OK.

Customer's certificates expire in June and they want them re-signing as a multi-san certificate soon; hopefully the issue will disappear after this.

Cheers, Simon

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards