I’m Googling, and finding plenty of info about configuring XMPP over TLS, but not a word about BOSH. Is that controlled by httpd? I can’t believe that simply turning on HTTP binding just magically works.

BOSH uses HTTP/S as a transport. You can secure the XMPP stream by using an https:// BOSH endpoint. Use the Openfire admin console to enable this connector (via port 7443 by default).

BOSH is enabled, but no process is listening on 7443. We can use unencrypted BOSH on 7070, but how would it be able to encrypt anything without a certificate and private key being specified? I’m not seeing any config for this.

Yes, you will need to install a certificate (or generate a self-signed cert) to use the secure BOSH connector. Check the /ssl-certificates.jsp page in your admin console.

I believe that typically a web server is used to proxy the BOSH traffic to Openfire. So your TLS connection can go to Apache and then Apache proxies it to Openfire. For Apache, I use a setting like so to proxy the traffic

ProxyPass /bosh http://openfire-bosh:5280/http-bind

I do have a certificate installed. It’s odd that the control panel doesn’t look like there’s a way to import the key… I’m going to try manually importing the key into the keystore and see if that helps.

I was able to generate a PKCS12 store, convert it to JKS, and import it into the Openfire keystore. 7443 is up and running now! But in Server Certificates, the status is “Pending Verification”. I have the CA that signed my cert and the root that signed it in truststore, and all are valid and working with Apache. What “verification” is Openfire looking for?