TLS works fine while SSL causes trouble.
Login as "firstname.lastname@example.org/spark" and start another client which supports "old" SSL and use the same JID but a wrong password to kick the logged in user.
Possible workaround: Disable the old SSL port within the admin console.
This problem is not about old SSL but when using the old iq:auth method. So clients that are using port 5222 and iq:auth (instead of SASL) to authenticate will also run into this problem.