How to Set admin to use HTTPS only / Clients to use TLS

We need to be able to use HTTPS for the admin sessions using SHA2 certs.

We also need to force all client communications to be encrypted.

To connect to Admin Console with https use 9091 port. E.g. https://server:9091 Not sure about certificates. Self-signed work for me, i know that others use various other certificates. I don’t know is it possible to disable HTTP 9090 port.

You can set clients to use encryption on Server Settings > Client Connections page. Enable only 5222 port, then go to Advanced settings below it and set encryption to Required. You can also disable SSLv3 and only leave TLS protocols enabled, so it be more secure. There is also an option to enable/disable individual ciphers, but i haven’t tried that.

I had that configured already, but I am not sure how to change the ciphers or the SSL cert that the service uses.

I checked that option in the client connections, is there a way to tell if your clients are connecting via TLS?

I’m using self-signed certificates generated by Openfire itself. Not sure whether they are SHA2 or not or how to check that. I don’t know either how to check or change ciphers for Admin Console.

I don’t know how to see what exactly client is using, SSL or TLS. To see if the connection is encrypted some clients show this (Spark shows a little lock icon on the bottom of its roster window). Openfire shows the same lock symbol next to a session on the Sessions page in Admin Console when connection is encrypted. If you go to Advanced settings for 5222 port on Client Connections page at the bottom there is ciphers suite part. I suppose you should move unwanted ciphers from the Enabled to the Supported box.

I am still not seeing how to disable HTTP admin login on the server itself. Is there a way to disable HTTP admin sessions completely ?

in openfire.xml, change port 9090 to -1

restart openfire.

Thank you! That did it.