We're updating the issue view to help you get more done. 

SSLv2 Hello is rejected; prevents some clients connecting

Description

Spark, Psi, and some other clients use the (very outdated) SSLv2 Hello when negotiating TLS. Currently this is rejected by Openfire, so these clients can no longer negotiate any TLS at all.

Environment

None

Acceptance Test - Entry

None

Activity

Show:
wroot
April 25, 2015, 9:41 AM

I have added a link to forum thread most probably related to it, though many other threads about Spark not able to login probably are related too. But Spark 2.7.0 works fine with Openfire 3.10.0, and i have TLS set as required and SSL disabled. Psi is also connecting fine for me (on Windows box with self-signed certificates generated by Openfire).

LG
April 27, 2015, 5:13 AM

Is https://github.com/igniterealtime/Openfire/pull/207/files the proper fix for this issue?
+ // ... but accept a SSLv2 Hello on the server
+ filter.setEnabledProtocols(new String[]{"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});

If I got it right some Psi clients have problems to connect while the server connections are fine. So this fix wouldn't help. I'd prefer system properties to modify the supported protocols if needed and keep the current default as is ("TLSv1", "TLSv1.1", "TLSv1.2") as it makes no sense to re-enable support for Poodle.

Simon Waters
July 20, 2015, 12:33 PM
Edited

Apologies for revisiting old topic.

Clients requesting SSLv2 violated RFCs 6120 (XMPP: Core) and 6176 (Prohibiting SSLv2 - no really there is a whole RFC prohibiting the use of SSL v2)

Were the bugs reported to client software projects (yes I know most of them are long dead).

Assignee

Dave Cridland

Reporter

Dave Cridland

Labels

Expected Effort

None

Ignite Forum URL

None

Fix versions

Affects versions

Priority

Major
Configure