The Ignite Realtime community is happy to be able to announce the immediate availability of version 4.8.0 of Openfire, its cross-platform real-time collaboration server based on the XMPP protocol!
This is the first major release of Openfire in about two years, and that shows: 199 tickets have been closed against this release! As a fun fact: the oldest of these issues was raised in 2015, the youngest: three days ago. Some of the highlights in this release include the following changes:
Replaced Apache MINA with Netty
Some 18 years ago, Openfire - then called Wildfire - started using a new Java feature: non-blocking IO. It vastly improved the performance of Openfire’s network processing. Ever since, the Apache MINA project has been the backbone of our network IO. MINA has served us well, but has also been showing its age. We’ve repeatedly suffered from issues with its application in Openfire over the past years.
Considering alternatives, we have found the Netty project. Both projects share important characteristics, for example in architecture and licensing. Generic consensus in comparison of both projects appear to favor Netty. In this release of Openfire, we have replaced Apache MINA with Netty.
Although we’ve not performed explicit stress testing, initial feedback indicates that Openfire’s performance has improved with this change. This is not to say that Netty is faster than MINA - while migrating, we’ve revisited certain design choices that will have contributed to performance gains.
Importantly, and a direct motivation for the migration, Openfire no longer suffers from known issues with TLSv1.3, the current version of the cryptographic protocol that provides security, including privacy (confidentiality), integrity, and authenticity to almost all of Openfire’s network communications.
The replacement of MINA is one of the larger changes that has been applied to Openfire in recent years!
Last year, an important vulnerability was disclosed (read more about that in CVE-2023-32315 Admin Console Auth Bypass). At the time, we made available new releases for the 4.6 and 4.7 branches of Openfire that addressed this issue. In today’s release, additional steps have been taken to further harden against this, and similar issues.
Firstly, the third party library that introduced an important characteristic that affected this vulnerability has been upgraded, removing the attack vector that was exploited in the first place. Also, starting with Openfire 4.8.0, the admin console web interface will, by default, only bind to the local network interface. This should make it accessible only on the server that it is installed on (pre-existing configuration options can be used to change this behavior as desired).
Other changes, such as the introduction of Content Security Policy (CSP) headers to web endpoints, further improve security of Openfire.
Openfire’s documentation, which ships with the installers, but is also available at the ‘documentation’ section of our website has seen a major overhaul. Apart from basic server administration, Openfire’s documentation contains a wealth of information, including guides on:
- Active Directory / LDAP support, for easy integration of your organisation’s user and group directory with Openfire;
- Scaling and load balancing guides for Openfire and the database server that it uses;
- Developer information on how to write custom authentication, user, group and contact list integrations;
- Using a large number of different third-party projects, in as many different programming languages, to applications that can connect (as a client) to Openfire;
… and, as they say, much, much more.
Updated minimum Java version to 11.
Up until this release, Openfire’s minimum Java requirement was Java 8. In Openfire 4.8.0, Java 8 support has been dropped. We have moved to the next Java LTS release, being Java 11.
Note that this will drop support for versions of Oracle Java that used Oracle older (more permissive) software license.
The list of changes that have gone into the Openfire 4.8.0 release goes on for quite a while. Please review the change log for all of the details.
The integrity of these artifacts can be checked with the following
We would love to hear from you! If you have any questions, please stop by our community forum or our live groupchat. We are always looking for volunteers interested in helping out with Openfire development!