Final update on this: Jabber for Mac 11.1.1 has been released and that has the official support for EL Capitan. Additionally this issue has been resolved in this latest release.
The defect which was created to track this issue was : CSCuw12621 Meeting site certificate is not valid error which you can verify in the Release Notes here: Resolved Caveats in 11.1.1
You can download Jabber for Mac 11.1.1 here: Download Software
Thanks for your patience and time.
Have a good weekend :)
your post did helped me in said issue. But i am trying to have mentioned certificate installed and check 10.6.1, issue still persists. with 11.1.1. I see no issue but, unfortunately due to compliance reason i cannot recommend users to move to 11.1.1.
Changing trust level to "Always Trust", it worked. El Capitan + Jabber 10.6.1 + Class 3 cert = success. :)
Has anyone opened with TAC to get a bug ID on this one? Curious how they classify it - Jabber bug? WebEx bug? Who knows.
I opened a case myself, if I get a bug ID, I'll post back. If more customers and partners open a case referencing the same bug ID it might get some attention at Cisco and they may do the right thing (tm) - change the certificates they present as part of the chain of trust on WebEx sites to use a 2048-bit root CA.
I believe this issue crept up because there are, from what I can tell, two versions of the VeriSign Class 3 Primary CA – G5 certificate (which is an intermediate in the chain at present). One version (the version they are not using) is a 2048-bit self-signed true root CA. But the other version (the version currently on the WebEx "edges" at depth 2) is an intermediate CA that is in turn signed by the "Verisign Class 3 Public Primary CA" 1024-bit root certificate which has been removed from El Capitan by Apple (I am surprised it was not removed from iOS 9 as well). It seems someone in the WebEx team must have made a configuration mistake and loaded the second (intermediate) version, rather than the first "true root" version, to the WebEx "edge" back when they migrated from DigiCert to Symantec circa January 2015. I don't know why they would chain off a 1024-bit root when they could chain off the 2048-bit root instead, but they did.
If you look at the description of the "VeriSign Class 3 Public Primary CA" on Symantec's site (http://www.symantec.com/page.jsp?id=roots) it even implies it should not be used after Q4 2010 (replaced by the 2048-bit root):
"Description: This root CA is the root used for Secure Site Pro Certificates , Premium SSL Certificates and Code Signing Certificates. It is intended to be the primary root used for these products until Q4 2010 when VeriSign transitions to using a 2048 bit root. After that transition this CA will be used as part of a cross certification to ensure legacy applications continue to trust VeriSign certificates and must continue to be included in root stores by vendors. This root is expected to be used in this way at least until 12/31/2013 and vendors should not plan on removing support for this root until officially advised that the root is no longer needed to support certificates or CRL validation."
Same issue on my side since I upgraded to OSX El Capitan. I never had such an issue on previous OSX versions.
Well, still nothing on the bug toolkit apparently. So, while Cisco and Apple evolve on their recently announced landmark partnership ... I'll also open a TAC SR by tomorrow in order to eventually have it fixed very soon.
I would like to point out that latest OSX 10.11.x is not yet officially supported by Jabber for Mac 11.x release: Software Requirements
Development is currently working on the next 11.x release which will have support for El Capitan and based on their testing, this issue should be resolved in the next upcoming release.
Once we have a tentative date, will update this thread, in the meantime, you have the temporary workaround.
Good point ... my apologies then. I thought the latest 11.1 release of Jabber for Mac would be "de-facto evergreen" with regards to the actual OSX version.