Disable SSLv3 by default as per POODLE vulnerability

Hi,

While browsing the source code of Openfire I found only two occurences of "SslContextFactory"

• src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java

• src/java/org/jivesoftware/openfire/http/HttpBindManager.java

The default ports for these services are 7433 (HTTP Bind) and 9091 (Admin Console).

But what about client connections on port 5222 using STARTTLS, do they support SSLv3 as well?

A connection test using a patched version of OpenSSL (see https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest) tells me that SSLv3 is enabled for Client connections on my server. (the used command is: ./openssl s_client -connect myopenfireserver:5222 -ssl3 -starttls xmpp)

akrherz's patch adresses only the first two problems. (https://github.com/akrherz/Openfire/commit/83e03fe549be1f17618c8c39cf70757be09dcd3a)

Can you verify this behaviour and is it relevant?

Thank you very much,

Florian.

Such questions should be directed to the linked forums thread. There is a comment about forcing TLS only connection for clients. You should check then if it reports SSLv3 still being used.

I see "HTTP Bind".
The http/https BOSH port is the 5280: http://www.xmpp.org/extensions/xep-0124.html

I have created a ticket in the past about BOSH: #OF-626.