Android Sametime client not connecting when SSL is enabled

A customer has exposed their Sametime Proxy to the internet so that they can access it using the Sametime client on mobile devices. One step is to import SSL certificates which the customer did using the very good Zero to Hero presentations.

I queried the application of the intermediary and root Certificate Authority (CA) certificates. The Zero to Hero and all other IBM documentation tells you to import the root and intermediary certificates into the CellDefaultTrustStore. I have for the STProxy and Sametime Gateway always installed into the CellDefaultKeyStore along with the CA signed device certificate. This creates a chain of certificates.

Anyway, once the customer had imported the certificates and I had imported them to the OS (Windows) so the Windows services would work the customer could not connect using his Android Sametime client but via a web browser it worked not problems.

I asked him to enable debugging and the logs he sent me from his handset showed the following (extract):

2013/06/21 16:28:15.891    340    FINE    CommonHttpClient$QueryX509TrustManager.checkServerTrusted:928    ENTRY: Server certificate validation Trust anchor for certification path not found.
2013/06/21 16:28:15.895    340    FINE    HTTPComm.BadCertificateNotifier:579    Enter HTTPComm.BadCertificateNotifier()
2013/06/21 16:28:15.895    340    FINE    CommonHttpClient$QueryX509TrustManager.checkServerTrusted:937    Trust anchor for certification path not found. Trust anchor for certification path not found.
    at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkTrusted(
    at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(
    at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.verifyCertificateChain(
    at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
    at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(
    at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.<init>(
    at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.getInputStream(
    at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(
    at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(
    at org.apache.http.impl.SocketHttpClientConnection.bind(
    at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(
    at org.apache.http.impl.client.DefaultRequestDirector.execute(
    at org.apache.http.impl.client.AbstractHttpClient.execute(
    at org.apache.http.impl.client.AbstractHttpClient.execute(

2013/06/21 16:28:15.895    340    FINE    CommonHttpClient$QueryX509TrustManager.checkServerTrusted:953    ENTRY: User rejected server’s certificate
2013/06/21 16:28:15.901    340    FINE    STProxy.retryComm:1773    retryComm – command = 1 retries = 20
2013/06/21 16:28:15.901    340    INFO    HTTPComm.sendURLRequest:501    _sendurlrequest: Connection rejected. req = POST, cmd = 1, exception = Trust anchor for certification path not found.

I then found the following resource which suggested that I query the customers Sametime Proxy using an OpenSSL client using the command

openssl s_client -debug -connect

The last line from the output was Verify return code: 21 (unable to verify the first certificate)

So I imported the intermediary and root certificates in to the CellDefaultKeyStore and after a restart of STProxy his device could connect.

I’m, not sure why IBM’s documentation tells me to do it the other way but I do know that for this instance my way works!!