We are testing Jabber version 12.6 in phone-only mode on some devices running Android 8 (Oreo). The devices are on our internal network. Our CUCM and CUC servers have certificates issued by our internal CA. They are multi-server certs with a SAN for each node in the cluster. (We have an XMPP multi-server cert as well, but that's inconsequential for phone-only mode). When Jabber for Android connects to the CUCM or CUC server it prompts to Verify Certificate saying "Cisco Jabber cannot confirm the identity of this server. Do you want to Continue?" It includes information about the server name it doesn't recognize which we can confirm is one of the SANs in the multi-server cert and it references the name of the multi-server cert, that it was issued by our internal intermediate CA and that it still has a valid date. We have loaded our internal root CA and intermediate CA certificates into the Android key store via our MDM and also via a sideload (as recommended in the Jabber deployment guide - https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/12_6/cjab_b_on-prem-deployment-cisco-jabber_12-6/cjab_b_on-prem-deployment-cisco-jabber_12-6_chapter_01110.html ). We get the cert warning with the MDM pushed or sideloaded CA certs.
I have found several sources that indicate that beginning with Android 7 (Nougat) the Android OS no longer trusts CA certs that the end user loads even though it displays them in the User section of Trusted Credentials (Settings -> Security & location -> Encryption & credentials -> Trusted Credentials). Those same sources indicate you can root the device and install your internal CA cert into the System section of the Trusted Credentials and then it will work, but we don't want to have root hundreds of devices to achieve this. We found an older device running Android 6, loaded our internal CA certs into the User Trusted Credentials and did *not* get the the certificate warning, so this does seem related to the newer version of Android. Has anyone else encountered this issue on Jabber for Android and found a clever workaround?
