SSLv2 Hello is rejected; prevents some clients connecting


Spark, Psi, and some other clients use the (very outdated) SSLv2 Hello when negotiating TLS. Currently this is rejected by Openfire, so these clients can no longer negotiate any TLS at all.




Simon Waters
July 20, 2015, 12:33 PM

Apologies for revisiting old topic.

Clients requesting SSLv2 violated RFCs 6120 (XMPP: Core) and 6176 (Prohibiting SSLv2 - no really there is a whole RFC prohibiting the use of SSL v2)

Were the bugs reported to client software projects (yes I know most of them are long dead).

April 27, 2015, 5:13 AM

Is the proper fix for this issue?
+ // ... but accept a SSLv2 Hello on the server
+ filter.setEnabledProtocols(new String[]{"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});

If I got it right some Psi clients have problems to connect while the server connections are fine. So this fix wouldn't help. I'd prefer system properties to modify the supported protocols if needed and keep the current default as is ("TLSv1", "TLSv1.1", "TLSv1.2") as it makes no sense to re-enable support for Poodle.

April 25, 2015, 9:41 AM

I have added a link to forum thread most probably related to it, though many other threads about Spark not able to login probably are related too. But Spark 2.7.0 works fine with Openfire 3.10.0, and i have TLS set as required and SSL disabled. Psi is also connecting fine for me (on Windows box with self-signed certificates generated by Openfire).



Dave Cridland


Dave Cridland