I’m trying to set up c2s SSL encryption, but I can not get it or any client to connect to Openfire 3.9.1 using the default ports. I can connect after going to “advanced settings” and changing to “Use Old-Style SSL” and port 5223. Is this supposed to work in the “New Style”? I have failed at finding any documentation on c2s encryption except for some posts about this not working with “new style”. How long will “Old Style” exist?
What client are you using to connect to Openfire?
There is a known issue with some clients not accepting the default self-signed certificates that are created during Openfire setup. If you haven’t installed a public cert (not at all an intuitive process) then you’re probably running those self-signed certs. The problem with some clients is that they don’t give you the opportunity to accept the self-signed cert, but instead just fail. One client that fails because of this is Gnome’s Empathy. Pidgin and Spark, on the other hand, will prompt for you to accept the self-signed cert. The latest version of Trillian won’t give you that option when configured for TLS over port 5222, but will when using SSL over port 5223.
The “old style” SSL reference is an acknowlegement that SSL over port 5223 never made it into the official XMPP standard (RFC-6120, etc). It was something Google and others implemented based on early drafts. The latest RFC requires that all clients and servers be able to connect using TLS over 5222, and warns against using SSL due to security concerns (particularly SSL v2.0). See http://xmpp.org/xmpp-protocols/rfcs/ for the basic standards documents that govern this stuff.
How long SSL over 5223 will be supported by clients and servers is really up to the developers at this point. There are enough older installations in place that it makes sense to continue offering it as a communications option, although this probably causes heartburn to security officers everywhere.