When doing client-to-server certificate based authentication and not sending the username in the stanza, OpenFire correctly uses the principal name from the client certificate as the username. But, when the principal name is not all lower case, OpenFire does not find the user and fails authentication. Since all JIDs are lowercase, the username should be set to the lowercase of the principle name.
The code involved starts at line 543 in the SASLAuthentication class:
if (username == null || username.length() == 0) {
// Still no username. Punt.
username = principal;
}
The assignment should be:
username = principal.toLowerCase();
-Pony