The Ignite Realtime community is happy to be able to announce the immediate availability of version 4.8.0 of Openfire, its cross-platform real-time collaboration server based on the XMPP protocol!
This is the first major release of Openfire in about two years, and that shows: 199 tickets have been closed against this release! As a fun fact: the oldest of these issues was raised in 2015, the youngest: three days ago. Some of the highlights in this release include the following changes:
Replaced Apache MINA with Netty
Some 18 years ago, Openfire - then called Wildfire - started using a new Java feature: non-blocking IO. It vastly improved the performance of Openfireās network processing. Ever since, the Apache MINA project has been the backbone of our network IO. MINA has served us well, but has also been showing its age. Weāve repeatedly suffered from issues with its application in Openfire over the past years.
Considering alternatives, we have found the Netty project. Both projects share important characteristics, for example in architecture and licensing. Generic consensus in comparison of both projects appear to favor Netty. In this release of Openfire, we have replaced Apache MINA with Netty.
Although weāve not performed explicit stress testing, initial feedback indicates that Openfireās performance has improved with this change. This is not to say that Netty is faster than MINA - while migrating, weāve revisited certain design choices that will have contributed to performance gains.
Importantly, and a direct motivation for the migration, Openfire no longer suffers from known issues with TLSv1.3, the current version of the cryptographic protocol that provides security, including privacy (confidentiality), integrity, and authenticity to almost all of Openfireās network communications.
The replacement of MINA is one of the larger changes that has been applied to Openfire in recent years!
Improved hardening
Last year, an important vulnerability was disclosed (read more about that in CVE-2023-32315 Admin Console Auth Bypass). At the time, we made available new releases for the 4.6 and 4.7 branches of Openfire that addressed this issue. In todayās release, additional steps have been taken to further harden against this, and similar issues.
Firstly, the third party library that introduced an important characteristic that affected this vulnerability has been upgraded, removing the attack vector that was exploited in the first place. Also, starting with Openfire 4.8.0, the admin console web interface will, by default, only bind to the local network interface. This should make it accessible only on the server that it is installed on (pre-existing configuration options can be used to change this behavior as desired).
Other changes, such as the introduction of Content Security Policy (CSP) headers to web endpoints, further improve security of Openfire.
Updated documentation
Openfireās documentation, which ships with the installers, but is also available at the ādocumentationā section of our website has seen a major overhaul. Apart from basic server administration, Openfireās documentation contains a wealth of information, including guides on:
- Active Directory / LDAP support, for easy integration of your organisationās user and group directory with Openfire;
- Scaling and load balancing guides for Openfire and the database server that it uses;
- Developer information on how to write custom authentication, user, group and contact list integrations;
- Using a large number of different third-party projects, in as many different programming languages, to applications that can connect (as a client) to Openfire;
ā¦ and, as they say, much, much more.
Updated minimum Java version to 11.
Up until this release, Openfireās minimum Java requirement was Java 8. In Openfire 4.8.0, Java 8 support has been dropped. We have moved to the next Java LTS release, being Java 11.
Note that this will drop support for versions of Oracle Java that used Oracle older (more permissive) software license.
The list of changes that have gone into the Openfire 4.8.0 release goes on for quite a while. Please review the change log for all of the details.
Interested in getting started? You can download installers of Openfire here. Our documentation contains an upgrade guide that helps you update from an older version.
The integrity of these artifacts can be checked with the following sha256sum values:
6c24dd3c221219594237cbfd94b237dd51e853665a898c2e2a4f67bc57df415c openfire-4.8.0-1.noarch.rpm
21609f9245cb3ea59ebaddd92aa2378daefb4c526f2b48f764bc61cba478f446 openfire_4.8.0_all.deb
fa337a050af5db86b3a0c05547b1c505f3dfe01f95264aecb046ad03e6e54007 openfire_4_8_0.dmg
daba71eec8eca9978e22add1198123c045218df95ae02c7d96567870a92a9c75 openfire_4_8_0.exe
e8b9dfb00e47477c9c6fd6cd4c5f3ac775c74ed9ded86c830f3b220a8cd8a15f openfire_4_8_0.tar.gz
f0469bb13e38264ae69cb55006a88fd0572dd5b3c41fe1021d1c778336242bcb openfire_4_8_0_x64.exe
4b940c4eefb7fcf3ae080983a671b6c5b7744ee95b12026f04b71e94f896f206 openfire_4_8_0.zip
We would love to hear from you! If you have any questions, please stop by our community forum or our live groupchat. We are always looking for volunteers interested in helping out with Openfire development!
For other release announcements and news follow us on Mastodon or X.