powered by Jive Software

Smack 4.4.0: Smack BOSH Connection host TLS certificate verification process

During testing of XMPPBOSHConneciton on aTalk (TLS certificate signed by letsencrypt), it is found that BOSH connection always failed on Note-5 (API-21) android devices. However there is no problem when aTalk running on Note-10 (API-29). Below is a log captured on wireshark on both the Note-5 and Note-10.

Observations:

  1. Note-5 is unable to made https connection due to Alert (Level: Fatal, Description: Certificate Unknown) based on wireshark.
  2. When using account registered on dismail.de, then Note-5 has no problem with the BOSH connection.

In XMPPTCPConnection, smack provides a hook for aTalk to catch and override the TLS certificate verification process. However it seems that there is no such option during BOSH connection.

Does smack provide the same as XMPPTCPConnection to override the TLS certificate verification process?
OR it is solely under controlled by android, and there is no control by smack to provide such option during https/BOSH connection?

======= BOSH Connection on Note 5 wireshark log ==============
17	09:03:50.443141758	42.60.7.13	192.168.1.8	TLSv1.2	260	Client Hello
18	09:03:50.443164706	192.168.1.8	42.60.7.13	TCP	66	5443 → 53372 [ACK] Seq=1 Ack=195 Win=30208 Len=0 TSval=1544178294 TSecr=52099341
19	09:03:50.445143311	192.168.1.8	42.60.7.13	TLSv1.2	1190	Server Hello, Certificate, Server Key Exchange, Server Hello Done
20	09:03:50.446471481	42.60.7.13	192.168.1.8	TCP	66	53372 → 5443 [ACK] Seq=195 Ack=1125 Win=89856 Len=0 TSval=52099341 TSecr=1544178296
21	09:03:50.449400626	42.60.7.13	192.168.1.8	TLSv1.2	73	Alert (Level: Fatal, Description: Certificate Unknown)
22	09:03:50.449644365	42.60.7.13	192.168.1.8	TCP	66	53372 → 5443 [RST, ACK] Seq=202 Ack=1125 Win=89856 Len=0 TSval=52099342 TSecr=1544178296

======= BOSH Connection on Note 10 wireshark log ==============
42	09:09:46.727093185	42.60.7.13	192.168.1.8	TLSv1.2	228	Client Hello
43	09:09:46.727116571	192.168.1.8	42.60.7.13	TCP	66	5443 → 48700 [ACK] Seq=1 Ack=163 Win=30208 Len=0 TSval=1544534585 TSecr=3958121855
44	09:09:46.728382041	192.168.1.8	42.60.7.13	TLSv1.2	1514	Server Hello
45	09:09:46.728388061	192.168.1.8	42.60.7.13	TLSv1.2	1514	Certificate [TCP segment of a reassembled PDU]
46	09:09:46.728552022	192.168.1.8	42.60.7.13	TLSv1.2	145	Server Key Exchange, Server Hello Done
47	09:09:46.731072277	42.60.7.13	192.168.1.8	TCP	66	48700 → 5443 [ACK] Seq=163 Ack=1449 Win=90624 Len=0 TSval=3958121858 TSecr=1544534586
48	09:09:46.731090766	42.60.7.13	192.168.1.8	TCP	66	48700 → 5443 [ACK] Seq=163 Ack=2897 Win=93440 Len=0 TSval=3958121858 TSecr=1544534586
49	09:09:46.731168879	42.60.7.13	192.168.1.8	TCP	66	48700 → 5443 [ACK] Seq=163 Ack=2976 Win=93440 Len=0 TSval=3958121859 TSecr=154453458749	09:09:46.731168879	42.60.7.13	
50	09:09:46.811362162	42.60.7.13	192.168.1.8	TLSv1.2	192	Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
51	09:09:46.811664846	192.168.1.8	42.60.7.13	TLSv1.2	117	Change Cipher Spec, Encrypted Handshake Message
52	09:09:46.813759302	42.60.7.13	192.168.1.8	TCP	66	48700 → 5443 [ACK] Seq=289 Ack=3027 Win=93440 Len=0 TSval=3958121941 TSecr=1544534670
53	09:09:46.816896425	42.60.7.13	192.168.1.8	TLSv1.2	428	Application Data
========== aTalk BOSHConnection failure log on android 5.0 (API-21) ===========

10-24 13:27:58.396 31990-32635/org.atalk.android V/aTalk: [2] org.igniterealtime.jbosh.BOSHClient.processMessages() Processing thread 0 starting...
10-24 13:27:58.396 31990-32635/org.atalk.android V/aTalk: [2] org.igniterealtime.jbosh.BOSHClient.claimExchange() Thread 0 will wait for new request...
10-24 13:27:58.416 31990-32635/org.atalk.android V/aTalk: [2] org.igniterealtime.jbosh.BOSHClient.claimExchange() Thread 0 claimed: 7222157928960409
10-24 13:27:58.416 31990-32635/org.atalk.android V/aTalk: [2] org.igniterealtime.jbosh.BOSHClient.processExchange() Thread 0 is sending 7222157928960409
10-24 13:27:58.416 31990-32618/org.atalk.android D/SMACK: SENT (0): 
    <body wait='60' xmpp:version='1.0' ack='1' xmlns:xmpp='urn:xmpp:xbosh' ver='1.8' xml:lang='en' rid='7222157928960409' to='atalk.org' hold='1' xmlns='http://jabber.org/protocol/httpbind'>
    </body>
10-24 13:27:58.506 31990-32635/org.atalk.android V/aTalk: [2] org.igniterealtime.jbosh.BOSHClient.processExchange() Could not obtain response
    org.igniterealtime.jbosh.BOSHException: Could not obtain response
        at org.igniterealtime.jbosh.ApacheHTTPResponse.awaitResponse(ApacheHTTPResponse.java:251)
        at org.igniterealtime.jbosh.ApacheHTTPResponse.getBody(ApacheHTTPResponse.java:192)
        at org.igniterealtime.jbosh.BOSHClient.processExchange(BOSHClient.java:1127)
        at org.igniterealtime.jbosh.BOSHClient.processMessages(BOSHClient.java:1003)
        at org.igniterealtime.jbosh.BOSHClient.access$300(BOSHClient.java:105)
        at org.igniterealtime.jbosh.BOSHClient$RequestProcessor.run(BOSHClient.java:1742)
        at java.lang.Thread.run(Thread.java:818)
     Caused by: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
        at com.android.org.conscrypt.SSLNullSession.getPeerCertificates(SSLNullSession.java:104)
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
        at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:388)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:214)
        at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:167)
        at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
        at org.apache.http.impl.client.DefaultRequestDirector.executeOriginal(DefaultRequestDirector.java:1287)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:699)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:575)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:491)
        at org.igniterealtime.jbosh.ApacheHTTPResponse.awaitResponse(ApacheHTTPResponse.java:235)
        at org.igniterealtime.jbosh.ApacheHTTPResponse.getBody(ApacheHTTPResponse.java:192) 
        at org.igniterealtime.jbosh.BOSHClient.processExchange(BOSHClient.java:1127) 
        at org.igniterealtime.jbosh.BOSHClient.processMessages(BOSHClient.java:1003) 
        at org.igniterealtime.jbosh.BOSHClient.access$300(BOSHClient.java:105) 
        at org.igniterealtime.jbosh.BOSHClient$RequestProcessor.run(BOSHClient.java:1742) 
        at