When DNS SRV records are misconfigured, connections that are expected to receive DirectTLS data could receive non-encrypted data (optionally to be encrypted with StartTLS later).
Openfire should be lenient, and allow StartTLS on the DirectTLS port.