In Openfire, a TrustManager implementation is used to validate X509 certificates offered by peers (such as other servers, or clients that are using mutual authentication / SASL EXTERNAL).
The trust manager that is used should be made configurable, so that third parties can change the hard-coded Openfire version.