How to XMPP Cleartext Authentication

Hello,
If someone could help me to fix Nessus scan vulnerability XMPP Cleartext Authentication.

Openfire server version 4.1.6

I have nessus set up at work, so I’ll check this out when I get in today. likely you’ll need to change your sasl mech and disable “plain”, but this could break things if your backend authentication doesn’t support any of the other mechs. Also, you should be following typical best practices. disable http on the web console, enforce encrypted connections, etc…

1 Like

It would be fine that you somehow should me assist what I need to reconfigure to get positive result. Strange that Openfire documentation not so straight forward… I have setup to use Active Directory authentication.

yep…this alert is raised due to using a plain sasl mech, which makes sense. This is why its important to ensure your transport is secured. AD is limited on the sasl mech it supports. also since you are using plain auth mech, you’ll want to be sure your connection from open to ldap is secured using ldaps. This may require some additional configuration on your part.

@speedy could you please help me with configuration what is needed to change?

AD only supports a few sasl, so there isn’t much you can change other than enabling ldapS, and then requiring secure connections by the xmpp clients.

Is there any way how to completely remove default non secure port on admin console :9090?
I have removed server property: adminConsole.port and commented out in config file openfire.xml line 9090 but admin console still available on 9090 port…