Openfire allows mutual authentication (SASL EXTERNAL) for all connection types, although the default setting disables this feature.
If a properly signed (instead of the default self-signed) certificate is installed, I'm not seeing downsides in allowing SASL EXTERNAL. It would be good to have this enabled for S2S, as it reduces the complexity for S2S establishment (the alternative approach, Dialback, requires an elaborate handshake).