A long, long time ago, port 5222 would accept plain text client connections, while port 5223 would accept SSL connections. Then, STARTTLS was introduced on port 5222, allowing plain text connections to be upgraded to an encrypted connection, all on port 5222. At the time, the assumption might have been that this would completely deprecate port 5223, which now got referred to as "Legacy" or "Old style" SSL.

There are benefits of "Old style" SSL over STARTTLS (less roundtrips are required to establish a secured connection, for instance). We've previously opted to not remove the functionality that's served on 5223.

The naming of the encryption technique that we're offering on 5223 suggests that it is a deprecated, old, not-to-be-used technique. That's far from the case. We should rename it, to avoid further confusion. XEP-0368 refers to this as "Direct TLS". Using this name in Openfire takes away the issue described above, and helps to establish a common vocabulary in the larger XMPP community.

While renaming things, it would be good to rename what we now identify as STARTTLS too. STARTTLS is a command name, but not the name of the technique. Wikipedia refers to this as Opportunistic TLS.

Update: the term "opportunistic" is generally disapproved of for the usage intended here (see https://mail.jabber.org/pipermail/standards/2017-September/033402.html ). Let's not rename StartTLS for now.