SSLv2 Hello is rejected; prevents some clients connecting
Description
Spark, Psi, and some other clients use the (very outdated) SSLv2 Hello when negotiating TLS. Currently this is rejected by Openfire, so these clients can no longer negotiate any TLS at all.
Environment
None
Activity
Show:
Simon Waters July 20, 2015 at 12:33 PM
Edited
Apologies for revisiting old topic.
Clients requesting SSLv2 violated RFCs 6120 (XMPP: Core) and 6176 (Prohibiting SSLv2 - no really there is a whole RFC prohibiting the use of SSL v2)
Were the bugs reported to client software projects (yes I know most of them are long dead).
LG April 27, 2015 at 5:13 AM
Is https://github.com/igniterealtime/Openfire/pull/207/files the proper fix for this issue? + // ... but accept a SSLv2 Hello on the server + filter.setEnabledProtocols(new String[]{"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
If I got it right some Psi clients have problems to connect while the server connections are fine. So this fix wouldn't help. I'd prefer system properties to modify the supported protocols if needed and keep the current default as is ("TLSv1", "TLSv1.1", "TLSv1.2") as it makes no sense to re-enable support for Poodle.
wroot April 25, 2015 at 9:41 AM
I have added a link to forum thread most probably related to it, though many other threads about Spark not able to login probably are related too. But Spark 2.7.0 works fine with Openfire 3.10.0, and i have TLS set as required and SSL disabled. Psi is also connecting fine for me (on Windows box with self-signed certificates generated by Openfire).
Spark, Psi, and some other clients use the (very outdated) SSLv2 Hello when negotiating TLS. Currently this is rejected by Openfire, so these clients can no longer negotiate any TLS at all.