When aTalk v2.3.1 release upgraded to use smack-4.4.0-alpha5 library, it is found that aTalk client login to server failed when the sever-overridden option is enabled e.g. swordfish@atalk.org where atalk.org is the client virtual host service running on host with FQDN atalk.sytes.net (server-overridden). This problem seems to happen on all smack-4.4.0 alpha releases, but reveal as login failure only in smack-4.4.0-alpha5 due to ------------------Untrusted chain: ----------------------. Actually this problem also happen in aTalk v2.3.0 release with alpha3 library, but smack ignores and proceed as normal to have a successful login.
Previously, aTalk only need to add config.setHost(FQDN) to compliment the solution.
From the smack alpha5 source. config.getXMPPServiceDomain() always refers to the service name.
I did a quick verification to confirm the observation by using config.setXmppDomain(FQDN);
This seems to “resolve” the problem; but believe this is not the right approach.
Any advice on solution?
========= aTalk debug log =============
2020-07-22 23:24:21.982 8686-8943/org.atalk.android D/SMACK: SENT (0):
<stream:stream xmlns='jabber:client' to='atalk.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='en'>
2020-07-22 23:24:21.997 8686-8944/org.atalk.android D/SMACK: RECV (0): ?xml version='1.0'?>
<stream:stream id='3652220486897623538' version='1.0' xml:lang='en' xmlns:stream='http://etherx.jabber.org/streams' from='atalk.org' xmlns='jabber:client'>
2020-07-22 23:24:22.003 8686-8944/org.atalk.android D/SMACK: RECV (0):
<stream:features>
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
<required/>
</starttls>
</stream:features>
2020-07-22 23:24:22.008 8686-8943/org.atalk.android D/SMACK: SENT (0):
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
2020-07-22 23:24:22.015 8686-8944/org.atalk.android D/SMACK: RECV (0):
<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
2020-07-22 23:24:22.215 8686-8944/org.atalk.android E/CONSCRYPT: ------------------Untrusted chain: ----------------------
2020-07-22 23:24:22.215 8686-8944/org.atalk.android E/CONSCRYPT: == Chain0 ==
Version: 3
2020-07-22 23:24:22.216 8686-8944/org.atalk.android E/CONSCRYPT: Serial Number: fac884d4c609a3d1
2020-07-22 23:24:22.217 8686-8944/org.atalk.android E/CONSCRYPT: SubjectDN: CN=atalk.org
2020-07-22 23:24:22.217 8686-8944/org.atalk.android E/CONSCRYPT: IssuerDN: CN=atalk.org
2020-07-22 23:24:22.278 8686-8944/org.atalk.android E/CONSCRYPT: Get not before: Sat Dec 26 09:07:16 GMT+08:00 2015
2020-07-22 23:24:22.289 8686-8944/org.atalk.android E/CONSCRYPT: Get not after: Tue Dec 23 09:07:16 GMT+08:00 2025
2020-07-22 23:24:22.289 8686-8944/org.atalk.android E/CONSCRYPT: Sig ALG name: SHA256WITHRSA
2020-07-22 23:24:22.298 8686-8944/org.atalk.android E/CONSCRYPT: Signature: 4b17767fb81d53486c05e8d3fe140bc9d33699aef9c9fb6e5aaf87dec6e48b2184bb7a13692c2b813a33b1c1fdc8dd504466a92585aee513a074bf990a128ceca2681e1d33f5b677712dc1fe94048b172d50a3ee1710fb7513934682bbea4275ea50575280f4716e86b9f2d0614dd645d3f169d551ba4a5d77423ea9b91df93e733184d0b82a537bdcc36b25d6430a52bf3c90f17bd95dcc6eeb62c140f181e9ab9f7caf16a129e57e538d9d07f2d78d84089c1c345616115bde6de8742b985b771f63763bd4bc95d5e31bd8932836cdc1cfa76e76b7c0b9c55583795997eca6e4ba0b2cfce8dc94d11331cb3cc50eb8320bc1af9be606834ac57fe49ac17ebc
2020-07-22 23:24:22.442 8686-8944/org.atalk.android E/CONSCRYPT: Public key:
30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03
82 01 0f 00 30 82 01 0a 02 82 01 01 00 e1 ed fc 01 59 35 a0
0e 59 d1 7a 4c f7 77 66 af 0d fb b3 9f 2d 49 75 7f b7 02 3b
dc 26 2b 98 21 48 f1 dc 8a 9c e5 f7 86 59 aa ac 23 a3 ee ff
d4 95 28 20 63 24 32 df 2f 2f 14 22 92 e7 dc 5d d1 23 8b b5
b9 29 a9 94 20 b5 8b 5c 81 91 42 17 b8 bf e5 9e 97 ca 95 60
0e 2a aa 67 b9 cc ed 84 7a 3c d1 2c 60 30 02 e0 c2 94 76 75
d7 f2 26 10 87 2e a8 9a 98 ff 3a da c3 65 08 b2 ab 35 22 9c
8c ff 83 0c ba 3d ec d4 21 6c b1 b4 5b 94 3a 28 d8 a0 e2 9b
16 66 fc 01 00 85 92 db 77 2e 0e 96 85 27 4d b8 39 e3 8e 18
4f ef cb 0e 88 09 b1 38 6a 3e 27 d6 68 ec 98 82 2d 4b 93 cc
9f 50 78 47 c1 1d 7b dd 68 ad 83 15 33 1c e3 f7 34 99 fb fe
09 2e 72 9d 59 c7 32 81 c4 f6 1f 44 db e8 57 ad 75 5a 26 7f
34 a6 a1 45 92 1c b9 33 d2 9d 50 7f 41 45 86 6c 10 61 c4 d6
7c fb 8f a6 31 37 71 5d ef 02 03 01 00 01
2020-07-22 23:24:22.460 8686-8944/org.atalk.android I/aTalk: [149676] org.jivesoftware.smack.AbstractXMPPConnection.notifyConnectionError() Connection was already disconnected when attempting to handle javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:239)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.waitForHandshake(ConscryptFileDescriptorSocket.java:510)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.getInputStream(ConscryptFileDescriptorSocket.java:473)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnection.java:676)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:714)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1400(XMPPTCPConnection.java:130)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:972)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:898)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:921)
at java.lang.Thread.run(Thread.java:919)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:688)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:557)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:513)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:432)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:360)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:89)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:224)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:430)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:234)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.waitForHandshake(ConscryptFileDescriptorSocket.java:510)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.getInputStream(ConscryptFileDescriptorSocket.java:473)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnection.java:676)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:714)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1400(XMPPTCPConnection.java:130)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:972)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:898)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:921)
at java.lang.Thread.run(Thread.java:919)
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:688)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:557)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:513)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:432)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:360)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:89)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:224)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:430)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:234)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.waitForHandshake(ConscryptFileDescriptorSocket.java:510)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.getInputStream(ConscryptFileDescriptorSocket.java:473)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnection.java:676)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:714)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1400(XMPPTCPConnection.java:130)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:972)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:898)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:921)
at java.lang.Thread.run(Thread.java:919)
Below is the debug log for aTalk v2.3.0. Actually the
-----------------Untrusted chain: ----------------------
also occurred; however smack proceed to login and is successful.
I am not sure how far back the problem has started, ad for which smack version; after the fixed was introduced since smack v4.2.3.
Actually atalk.org is only a virtual host without any public IP; ejabberd server supports virtual host ‘atalk.org’ xmpp service. The ejabberd server is running on the physical host atalk.sytes.net with a valid FQDN.
atalk.sytes.net has a public ip and its certificate is provided by let’s encrypt; the certificate for atalk.org is only a self-signed certificate, hence result to Untrusted chain.
My thinking is that certificate validation should be performed on the physical connected device i.e. atalk.sytes.net. Unless smack enforces the certificate validation is on each service resides on the host, then the observation it is a normal behavior.
Actually ejaberd gives warning on self-signed certificates:
14:20:52.222 [warning] Invalid certificate in /usr/local/etc/ejabberd/ssl_cert/atalk.org.pem: at line 29: self-signed certificate
14:20:52.224 [warning] No certificate found matching 'upload.atalk.sytes.net': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
14:20:52.224 [warning] No certificate found matching 'conference.atalk.sytes.net': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
14:20:52.224 [warning] No certificate found matching 'pubsub.atalk.org': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
14:20:52.224 [warning] No certificate found matching 'proxy.atalk.sytes.net': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
14:20:52.224 [warning] No certificate found matching 'pubsub.atalk.sytes.net': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
14:20:52.224 [warning] No certificate found matching 'proxy.atalk.org': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
14:20:52.225 [warning] No certificate found matching 'conference.atalk.org': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
14:20:52.225 [warning] No certificate found matching 'upload.atalk.org': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
No, this would allow anyone to impersonate the XMPP service for atalk.org and hence render verification meaningless. But it is a common misconception when it comes to certificate verification.
Yes, actually I was also thinking my early comment is not correct.
aTalk has already implemented SRV-ID. So I did a re-check on aTalk v2.3.0 and v2.3.1.
On aTalk v2.3.0 (smack-4.4.0-alpha3), it will pop-up a prompt requesting user to verify and accept if a self-signed certificate is detected, as shown in the snapshot below.
However in aTalk v2.3.1 (smack 4.4.0-alpah5), under the same test condition, there is no such prompt. Seems like calback for user certificate verification is not triggered.
There was no change in aTalk source in this area between v2.3.0 and v2.3.1; so the problem seems to be smack new implementation in alpha5. Any advice?
Follow the trail from the prompt backwards, i.e., what triggers the appearance of the prompt. Look how it is wired with Smack internals (since the prompt is caused by something within the SSLContext’s certification verification routine). The determine what make it work with -alpha3, and what is missing in -alpha5.
I was hoping you can give a quick solution, as I saw that there is some major changes in the ConnecitonConfiguration. I will do the debug and update you. FYI:
aTalk has the following implementation using custom SSLContext for SSL connection.
where sslTrustManager implements X509TrustManager to catch the CertificateException to show the user prompt.
/**
* Check whether a certificate is trusted, if not ask user whether he trusts it.
*
* @param chain the certificate chain.
* @param authType authentication type like: RSA.
* @throws CertificateException not trusted.
*/
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException
{
abortConnecting = true;
try {
tm.checkServerTrusted(chain, authType);
} catch (CertificateException e) {
// notify in a separate thread to avoid a deadlock when a reg state listener
// accesses a synchronized XMPPConnection method (like getRoster)
new Thread(() -> fireRegistrationStateChanged(getRegistrationState(),
RegistrationState.UNREGISTERED, RegistrationStateChangeEvent.REASON_USER_REQUEST,
"Not trusted certificate")).start();
throw e;
}
if (abortConnecting) {
// connect hasn't finished we will continue normally
abortConnecting = false;
}
else {
// in this situation connect method has finished and it was disconnected so we
// wont to connect. register.connect in new thread so we can release the current
// connecting thread, otherwise this blocks jabber
new Thread(() -> reRegister(SecurityAuthority.CONNECTION_FAILED, null)).start();
}
}
Factories are expected to manufactor new instances every time their factory method is called (createSslContext()). Possible that it does not make any difference in your case, but what you really want is
I tried your recommendation, it is not working. What I see in smack 4.4.0-alpha5 release, there is a change in getSmackTlsContext() where customX509TrustManager is one of the pass-in parameters, and it get included in the list of TrustManager. So doing
From the below two debug logs for aTalk v2.3.0 (smack-4.4.0-alpha3) and aTalk v2.3.1 (smack-4.4.0-alpha5); it is found that there is a change in the CertificateException order. In v2.3.0, aTalk is given the chance to handle the CertificateException i.e. HostTrustManager.checkServerTrusted(), but not in v2.3.1; smack handles the CertificateException instead.
============ aTalk debug log (smack 4.4.0-alpha3) ============
2020-07-24 07:48:54.540 28555-28835/org.atalk.android E/(ProtocolProviderServiceJabberImpl.java:2763)#checkServerTrusted: java.lang.Exception: TSL Certificate Invalid
at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl$HostTrustManager.checkServerTrusted(ProtocolProviderServiceJabberImpl.java:2763)
at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl$HostTrustManager.checkServerTrusted(ProtocolProviderServiceJabberImpl.java:2733)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.org.conscrypt.Platform.checkTrusted(Platform.java:196)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:225)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:430)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:234)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.waitForHandshake(ConscryptFileDescriptorSocket.java:510)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.getInputStream(ConscryptFileDescriptorSocket.java:473)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnection.java:671)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:715)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:136)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:969)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:893)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:913)
at java.lang.Thread.run(Thread.java:919)
2020-07-24 07:48:54.676 28555-28835/org.atalk.android E/CONSCRYPT: ------------------Untrusted chain: ----------------------
2020-07-24 07:48:54.676 28555-28835/org.atalk.android E/CONSCRYPT: == Chain0 ==
Version: 3
2020-07-24 07:48:54.676 28555-28835/org.atalk.android E/CONSCRYPT: Serial Number: fac884d4c609a3d1
2020-07-24 07:48:54.677 28555-28835/org.atalk.android E/CONSCRYPT: SubjectDN: CN=atalk.org
2020-07-24 07:48:54.678 28555-28835/org.atalk.android E/CONSCRYPT: IssuerDN: CN=atalk.org
2020-07-24 07:48:54.775 28555-28835/org.atalk.android E/CONSCRYPT: Get not before: Sat Dec 26 09:07:16 GMT+08:00 2015
2020-07-24 07:48:54.785 28555-28574/org.atalk.android W/System: A resource failed to call close.
2020-07-24 07:48:54.800 28555-28835/org.atalk.android E/CONSCRYPT: Get not after: Tue Dec 23 09:07:16 GMT+08:00 2025
2020-07-24 07:48:54.800 28555-28835/org.atalk.android E/CONSCRYPT: Sig ALG name: SHA256WITHRSA
2020-07-24 07:48:54.820 28555-28835/org.atalk.android E/CONSCRYPT: Signature: 4b17767fb81d53486c05e8d3fe140bc9d33699aef9c9fb6e5aaf87dec6e48b2184bb7a13692c2b813a33b1c1fdc8dd504466a92585aee513a074bf990a128ceca2681e1d33f5b677712dc1fe94048b172d50a3ee1710fb7513934682bbea4275ea50575280f4716e86b9f2d0614dd645d3f169d551ba4a5d77423ea9b91df93e733184d0b82a537bdcc36b25d6430a52bf3c90f17bd95dcc6eeb62c140f181e9ab9f7caf16a129e57e538d9d07f2d78d84089c1c345616115bde6de8742b985b771f63763bd4bc95d5e31bd8932836cdc1cfa76e76b7c0b9c55583795997eca6e4ba0b2cfce8dc94d11331cb3cc50eb8320bc1af9be606834ac57fe49ac17ebc
2020-07-24 07:48:54.918 28555-28835/org.atalk.android E/CONSCRYPT: Public key:
30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03
82 01 0f 00 30 82 01 0a 02 82 01 01 00 e1 ed fc 01 59 35 a0
0e 59 d1 7a 4c f7 77 66 af 0d fb b3 9f 2d 49 75 7f b7 02 3b
dc 26 2b 98 21 48 f1 dc 8a 9c e5 f7 86 59 aa ac 23 a3 ee ff
d4 95 28 20 63 24 32 df 2f 2f 14 22 92 e7 dc 5d d1 23 8b b5
b9 29 a9 94 20 b5 8b 5c 81 91 42 17 b8 bf e5 9e 97 ca 95 60
0e 2a aa 67 b9 cc ed 84 7a 3c d1 2c 60 30 02 e0 c2 94 76 75
d7 f2 26 10 87 2e a8 9a 98 ff 3a da c3 65 08 b2 ab 35 22 9c
8c ff 83 0c ba 3d ec d4 21 6c b1 b4 5b 94 3a 28 d8 a0 e2 9b
16 66 fc 01 00 85 92 db 77 2e 0e 96 85 27 4d b8 39 e3 8e 18
4f ef cb 0e 88 09 b1 38 6a 3e 27 d6 68 ec 98 82 2d 4b 93 cc
9f 50 78 47 c1 1d 7b dd 68 ad 83 15 33 1c e3 f7 34 99 fb fe
09 2e 72 9d 59 c7 32 81 c4 f6 1f 44 db e8 57 ad 75 5a 26 7f
34 a6 a1 45 92 1c b9 33 d2 9d 50 7f 41 45 86 6c 10 61 c4 d6
7c fb 8f a6 31 37 71 5d ef 02 03 01 00 01
============ aTalk debug log (smack 4.4.0-alpha5) ============
2020-07-24 08:06:25.817 388-739/org.atalk.android E/CONSCRYPT: ------------------Untrusted chain: ----------------------
2020-07-24 08:06:25.818 388-739/org.atalk.android E/CONSCRYPT: == Chain0 ==
Version: 3
2020-07-24 08:06:25.818 388-739/org.atalk.android E/CONSCRYPT: Serial Number: fac884d4c609a3d1
2020-07-24 08:06:25.819 388-739/org.atalk.android E/CONSCRYPT: SubjectDN: CN=atalk.org
2020-07-24 08:06:25.819 388-739/org.atalk.android E/CONSCRYPT: IssuerDN: CN=atalk.org
2020-07-24 08:06:25.885 388-739/org.atalk.android E/CONSCRYPT: Get not before: Sat Dec 26 09:07:16 GMT+08:00 2015
2020-07-24 08:06:25.896 388-739/org.atalk.android E/CONSCRYPT: Get not after: Tue Dec 23 09:07:16 GMT+08:00 2025
2020-07-24 08:06:25.896 388-739/org.atalk.android E/CONSCRYPT: Sig ALG name: SHA256WITHRSA
2020-07-24 08:06:25.905 388-739/org.atalk.android E/CONSCRYPT: Signature: 4b17767fb81d53486c05e8d3fe140bc9d33699aef9c9fb6e5aaf87dec6e48b2184bb7a13692c2b813a33b1c1fdc8dd504466a92585aee513a074bf990a128ceca2681e1d33f5b677712dc1fe94048b172d50a3ee1710fb7513934682bbea4275ea50575280f4716e86b9f2d0614dd645d3f169d551ba4a5d77423ea9b91df93e733184d0b82a537bdcc36b25d6430a52bf3c90f17bd95dcc6eeb62c140f181e9ab9f7caf16a129e57e538d9d07f2d78d84089c1c345616115bde6de8742b985b771f63763bd4bc95d5e31bd8932836cdc1cfa76e76b7c0b9c55583795997eca6e4ba0b2cfce8dc94d11331cb3cc50eb8320bc1af9be606834ac57fe49ac17ebc
2020-07-24 08:06:25.999 388-739/org.atalk.android E/CONSCRYPT: Public key:
30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03
82 01 0f 00 30 82 01 0a 02 82 01 01 00 e1 ed fc 01 59 35 a0
0e 59 d1 7a 4c f7 77 66 af 0d fb b3 9f 2d 49 75 7f b7 02 3b
dc 26 2b 98 21 48 f1 dc 8a 9c e5 f7 86 59 aa ac 23 a3 ee ff
d4 95 28 20 63 24 32 df 2f 2f 14 22 92 e7 dc 5d d1 23 8b b5
b9 29 a9 94 20 b5 8b 5c 81 91 42 17 b8 bf e5 9e 97 ca 95 60
0e 2a aa 67 b9 cc ed 84 7a 3c d1 2c 60 30 02 e0 c2 94 76 75
d7 f2 26 10 87 2e a8 9a 98 ff 3a da c3 65 08 b2 ab 35 22 9c
8c ff 83 0c ba 3d ec d4 21 6c b1 b4 5b 94 3a 28 d8 a0 e2 9b
16 66 fc 01 00 85 92 db 77 2e 0e 96 85 27 4d b8 39 e3 8e 18
4f ef cb 0e 88 09 b1 38 6a 3e 27 d6 68 ec 98 82 2d 4b 93 cc
9f 50 78 47 c1 1d 7b dd 68 ad 83 15 33 1c e3 f7 34 99 fb fe
09 2e 72 9d 59 c7 32 81 c4 f6 1f 44 db e8 57 ad 75 5a 26 7f
34 a6 a1 45 92 1c b9 33 d2 9d 50 7f 41 45 86 6c 10 61 c4 d6
7c fb 8f a6 31 37 71 5d ef 02 03 01 00 01
2020-07-24 08:06:26.016 388-739/org.atalk.android I/aTalk: [158601] org.jivesoftware.smack.AbstractXMPPConnection.notifyConnectionError() Connection was already disconnected when attempting to handle javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:239)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.waitForHandshake(ConscryptFileDescriptorSocket.java:510)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.getInputStream(ConscryptFileDescriptorSocket.java:473)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnection.java:676)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:714)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1400(XMPPTCPConnection.java:130)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:972)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:898)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:921)
at java.lang.Thread.run(Thread.java:919)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:688)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:557)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:513)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:432)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:360)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:89)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:224)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:430)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:234)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.waitForHandshake(ConscryptFileDescriptorSocket.java:510)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.getInputStream(ConscryptFileDescriptorSocket.java:473)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnection.java:676)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:714)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1400(XMPPTCPConnection.java:130)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:972)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:898)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:921)
at java.lang.Thread.run(Thread.java:919)
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:688)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:557)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:513)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:432)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:360)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:89)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:224)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:430)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:234)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.waitForHandshake(ConscryptFileDescriptorSocket.java:510)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.getInputStream(ConscryptFileDescriptorSocket.java:473)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnection.java:676)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:714)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1400(XMPPTCPConnection.java:130)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:972)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:898)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:921)
at java.lang.Thread.run(Thread.java:919)
Maybe I did not make myself clear. Sorry about that. What I suggested is that you create a new SSLContext instance every time the factory method is called, while still setting a custom trust manager via config.setCustomX509TrustManager(sslTrustManager);.
Thanks for the clarification. However I am not sure why there is a need to perform the below statement whenever the SslContextFactory.createSslContext() is called. Need you to enlighten me. as I see this is a new change in smack-4.4.0-alpha5.
will actually resolve to getSSLContext() below for password login strategy; which should return a reference instance, and remains unchanged for the same SSL connection.
Note: loginStrategy.createSslContext(cvs, sslTrustManager) will get a new instance when there is a change in the XMPP Connection.