I am working with a test harness that uses Smack 3.3.0 and talks to Openfire 3.8.1. (Yes, I know these are old versions). My normal certificate configuration has the root cert in the truststore and device/intermediate cert chain in the keystore. This works perfect talking between two instances of the test harness over HTTP doing both client and server authentication.
However both the Smack client and Openfire server seem unhappy with this certificate configuration, generating TLS errors that trusted certs cannot be found. If I configure the Openfire server keystore with a cert chain that also includes the root cert, the Smack client seems happy. If I configure the smack client keystore with just the device certificate and add the intermediate cert to Openfire truststore, the Openfire server seems happy.
This really makes no sense, as I assume both Openfire/Smack are using the same underlying java mechanisms to validate the certificates, and if it works over http it should work over XMPP.
Any clues?
Jim