Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1055
Views
0
Helpful
4
Replies

Jabber for MAC - Certificate Warning post upgrade

Simon Battye
Level 2
Level 2

‎02-15-2017 05:45 AM - edited ‎03-17-2019 06:41 PM

Hi,

Recently we upgraded our UC environment from 9.1.2 to 11.5.1(SU1), this being CUCM/UCXN/IMP.

Since the upgrade to 11.5.1(SU1) we are experiencing certificate warnings on only Jabber for MAC clients, all other variations of Jabber appear to be working OK.

I can confirm that all CUCM/IMP and UCXN servers have valid SSL Certificates signed and installed by a public certificate authority, when browsing to all the individual CUCM/IMP/UCXN nodes i don't see any certificate errors in my browser.

The Jabber for MAC client we have been using is 11.8, but we have also tested with 11.6.

I've attached an extract from the Jabber.Log, this shows the process of the client checking the certificate.

Is it possible that the latest MAC client has extended security features and the certificate possibly isn't good enough?

Thanks, Simon

Labels:
Preview file
10 KB
0 Helpful
4 Replies 4

Jaime Valencia
Cisco Employee
Cisco Employee

‎02-15-2017 07:23 AM

Do you already have the server certificates in your trust store?

HTH

java

if this helps, please rate
0 Helpful

Simon Battye
Level 2
Level 2
In response to Jaime Valencia

‎02-16-2017 02:16 AM

Jamie,

No the certificates are not already in the trust store.

We stood up new virtual machines of both Windows and MAC OS as a test (not added to the domain or custom built images), we found that windows could log in no problem without certificate prompt but MAC did get prompted to accept certificates.

The only other thing i can think of, is that we added additional subscribers that are signed with a newer certificate and the encryption is different.

- Original CUCM Certificates: PKCS #1 SHA-1 With RSA Encryption

- New CUCM Certificates: PKCS #1 SHA-256 With RSA Encryption

Could SHA-1 With RSA Encryption be causing this problem?

Thanks, Simon 

0 Helpful

Adam Miles
Level 1
Level 1
In response to Simon Battye

‎02-17-2017 03:40 AM

Hi mate!

The only thing I can think of that would only affect Mac is that the Mac doesn't have the same root/intermediary CA in the store as Windows.

Can't tell much with the anonamised logs, but if you view the server cert on the Mac is the cert chain okay?

If possible can you test on Windows on a non-domain PC with cleared out Jabber cache to confirm there's no additional published enterprise trust certs or previously accepted certs that might be mudding the waters and pushing you towards only Mac clients being affected.  I always found a locally running Win7 VM handy for this rather than relying on customer equipment.

From the J4Mac release notes SHA-1 is still good.

Adam

0 Helpful

Simon Battye
Level 2
Level 2
In response to Adam Miles

‎02-27-2017 03:18 AM

Hi Mate,

Thanks for getting back to me, i've been doing some testing using a new windows VM (no custom build/hasn't been added to domain) and i don't get the certificate acceptance warning.

Apparently people have had the certificate warnings on android phones as well as MAC's now but IOS on iPhone appears OK.

Customer's certificates expire in June and they want them re-signing as a multi-san certificate soon; hopefully the issue will disappear after this.

Cheers, Simon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents