During testing of XMPPBOSHConneciton on aTalk (TLS certificate signed by letsencrypt), it is found that BOSH connection always failed on Note-5 (API-21) android devices. However there is no problem when aTalk running on Note-10 (API-29). Below is a log captured on wireshark on both the Note-5 and Note-10.
Observations:
- Note-5 is unable to made https connection due to Alert (Level: Fatal, Description: Certificate Unknown) based on wireshark.
- When using account registered on dismail.de, then Note-5 has no problem with the BOSH connection.
In XMPPTCPConnection, smack provides a hook for aTalk to catch and override the TLS certificate verification process. However it seems that there is no such option during BOSH connection.
Does smack provide the same as XMPPTCPConnection to override the TLS certificate verification process?
OR it is solely under controlled by android, and there is no control by smack to provide such option during https/BOSH connection?
======= BOSH Connection on Note 5 wireshark log ==============
17 09:03:50.443141758 42.60.7.13 192.168.1.8 TLSv1.2 260 Client Hello
18 09:03:50.443164706 192.168.1.8 42.60.7.13 TCP 66 5443 → 53372 [ACK] Seq=1 Ack=195 Win=30208 Len=0 TSval=1544178294 TSecr=52099341
19 09:03:50.445143311 192.168.1.8 42.60.7.13 TLSv1.2 1190 Server Hello, Certificate, Server Key Exchange, Server Hello Done
20 09:03:50.446471481 42.60.7.13 192.168.1.8 TCP 66 53372 → 5443 [ACK] Seq=195 Ack=1125 Win=89856 Len=0 TSval=52099341 TSecr=1544178296
21 09:03:50.449400626 42.60.7.13 192.168.1.8 TLSv1.2 73 Alert (Level: Fatal, Description: Certificate Unknown)
22 09:03:50.449644365 42.60.7.13 192.168.1.8 TCP 66 53372 → 5443 [RST, ACK] Seq=202 Ack=1125 Win=89856 Len=0 TSval=52099342 TSecr=1544178296
======= BOSH Connection on Note 10 wireshark log ==============
42 09:09:46.727093185 42.60.7.13 192.168.1.8 TLSv1.2 228 Client Hello
43 09:09:46.727116571 192.168.1.8 42.60.7.13 TCP 66 5443 → 48700 [ACK] Seq=1 Ack=163 Win=30208 Len=0 TSval=1544534585 TSecr=3958121855
44 09:09:46.728382041 192.168.1.8 42.60.7.13 TLSv1.2 1514 Server Hello
45 09:09:46.728388061 192.168.1.8 42.60.7.13 TLSv1.2 1514 Certificate [TCP segment of a reassembled PDU]
46 09:09:46.728552022 192.168.1.8 42.60.7.13 TLSv1.2 145 Server Key Exchange, Server Hello Done
47 09:09:46.731072277 42.60.7.13 192.168.1.8 TCP 66 48700 → 5443 [ACK] Seq=163 Ack=1449 Win=90624 Len=0 TSval=3958121858 TSecr=1544534586
48 09:09:46.731090766 42.60.7.13 192.168.1.8 TCP 66 48700 → 5443 [ACK] Seq=163 Ack=2897 Win=93440 Len=0 TSval=3958121858 TSecr=1544534586
49 09:09:46.731168879 42.60.7.13 192.168.1.8 TCP 66 48700 → 5443 [ACK] Seq=163 Ack=2976 Win=93440 Len=0 TSval=3958121859 TSecr=154453458749 09:09:46.731168879 42.60.7.13
50 09:09:46.811362162 42.60.7.13 192.168.1.8 TLSv1.2 192 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
51 09:09:46.811664846 192.168.1.8 42.60.7.13 TLSv1.2 117 Change Cipher Spec, Encrypted Handshake Message
52 09:09:46.813759302 42.60.7.13 192.168.1.8 TCP 66 48700 → 5443 [ACK] Seq=289 Ack=3027 Win=93440 Len=0 TSval=3958121941 TSecr=1544534670
53 09:09:46.816896425 42.60.7.13 192.168.1.8 TLSv1.2 428 Application Data
========== aTalk BOSHConnection failure log on android 5.0 (API-21) ===========
10-24 13:27:58.396 31990-32635/org.atalk.android V/aTalk: [2] org.igniterealtime.jbosh.BOSHClient.processMessages() Processing thread 0 starting...
10-24 13:27:58.396 31990-32635/org.atalk.android V/aTalk: [2] org.igniterealtime.jbosh.BOSHClient.claimExchange() Thread 0 will wait for new request...
10-24 13:27:58.416 31990-32635/org.atalk.android V/aTalk: [2] org.igniterealtime.jbosh.BOSHClient.claimExchange() Thread 0 claimed: 7222157928960409
10-24 13:27:58.416 31990-32635/org.atalk.android V/aTalk: [2] org.igniterealtime.jbosh.BOSHClient.processExchange() Thread 0 is sending 7222157928960409
10-24 13:27:58.416 31990-32618/org.atalk.android D/SMACK: SENT (0):
<body wait='60' xmpp:version='1.0' ack='1' xmlns:xmpp='urn:xmpp:xbosh' ver='1.8' xml:lang='en' rid='7222157928960409' to='atalk.org' hold='1' xmlns='http://jabber.org/protocol/httpbind'>
</body>
10-24 13:27:58.506 31990-32635/org.atalk.android V/aTalk: [2] org.igniterealtime.jbosh.BOSHClient.processExchange() Could not obtain response
org.igniterealtime.jbosh.BOSHException: Could not obtain response
at org.igniterealtime.jbosh.ApacheHTTPResponse.awaitResponse(ApacheHTTPResponse.java:251)
at org.igniterealtime.jbosh.ApacheHTTPResponse.getBody(ApacheHTTPResponse.java:192)
at org.igniterealtime.jbosh.BOSHClient.processExchange(BOSHClient.java:1127)
at org.igniterealtime.jbosh.BOSHClient.processMessages(BOSHClient.java:1003)
at org.igniterealtime.jbosh.BOSHClient.access$300(BOSHClient.java:105)
at org.igniterealtime.jbosh.BOSHClient$RequestProcessor.run(BOSHClient.java:1742)
at java.lang.Thread.run(Thread.java:818)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
at com.android.org.conscrypt.SSLNullSession.getPeerCertificates(SSLNullSession.java:104)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:388)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:214)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:167)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
at org.apache.http.impl.client.DefaultRequestDirector.executeOriginal(DefaultRequestDirector.java:1287)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:699)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:575)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:491)
at org.igniterealtime.jbosh.ApacheHTTPResponse.awaitResponse(ApacheHTTPResponse.java:235)
at org.igniterealtime.jbosh.ApacheHTTPResponse.getBody(ApacheHTTPResponse.java:192)
at org.igniterealtime.jbosh.BOSHClient.processExchange(BOSHClient.java:1127)
at org.igniterealtime.jbosh.BOSHClient.processMessages(BOSHClient.java:1003)
at org.igniterealtime.jbosh.BOSHClient.access$300(BOSHClient.java:105)
at org.igniterealtime.jbosh.BOSHClient$RequestProcessor.run(BOSHClient.java:1742)
at