Openfire supports "mutual authentication", in which the PKIX certificate of the peer (either clients, or remote XMPP servers) is used as credentials (as opposed to a more traditional username/password).

When mutual authentication occurs, validation of the certificate happens on the TLS layer - in MINA, mostly. Later, the EXTERNAL SASL mechanism is used to authenticate/authorize the user represented by the credentials in the certificate.

In existing code, the validity and correctness of the provided certificate is checked in various places. Although this arguably is prudent (better safe than sorry), it does consume resources, and duplicates execution paths, which makes customization complex

It's desirable to introduce an option that allows an administrator to skip all surplus certificate validation.