Recently we upgraded our UC environment from 9.1.2 to 11.5.1(SU1), this being CUCM/UCXN/IMP.
Since the upgrade to 11.5.1(SU1) we are experiencing certificate warnings on only Jabber for MAC clients, all other variations of Jabber appear to be working OK.
I can confirm that all CUCM/IMP and UCXN servers have valid SSL Certificates signed and installed by a public certificate authority, when browsing to all the individual CUCM/IMP/UCXN nodes i don't see any certificate errors in my browser.
The Jabber for MAC client we have been using is 11.8, but we have also tested with 11.6.
I've attached an extract from the Jabber.Log, this shows the process of the client checking the certificate.
Is it possible that the latest MAC client has extended security features and the certificate possibly isn't good enough?
No the certificates are not already in the trust store.
We stood up new virtual machines of both Windows and MAC OS as a test (not added to the domain or custom built images), we found that windows could log in no problem without certificate prompt but MAC did get prompted to accept certificates.
The only other thing i can think of, is that we added additional subscribers that are signed with a newer certificate and the encryption is different.
- Original CUCM Certificates: PKCS #1 SHA-1 With RSA Encryption
- New CUCM Certificates: PKCS #1 SHA-256 With RSA Encryption
Could SHA-1 With RSA Encryption be causing this problem?
The only thing I can think of that would only affect Mac is that the Mac doesn't have the same root/intermediary CA in the store as Windows.
Can't tell much with the anonamised logs, but if you view the server cert on the Mac is the cert chain okay?
If possible can you test on Windows on a non-domain PC with cleared out Jabber cache to confirm there's no additional published enterprise trust certs or previously accepted certs that might be mudding the waters and pushing you towards only Mac clients being affected. I always found a locally running Win7 VM handy for this rather than relying on customer equipment.
From the J4Mac release notes SHA-1 is still good.
Thanks for getting back to me, i've been doing some testing using a new windows VM (no custom build/hasn't been added to domain) and i don't get the certificate acceptance warning.
Apparently people have had the certificate warnings on android phones as well as MAC's now but IOS on iPhone appears OK.
Customer's certificates expire in June and they want them re-signing as a multi-san certificate soon; hopefully the issue will disappear after this.