So I plan to allow our internal Openfire server to be accessible from the internet. I have disabled user registration and forced SSL connectivity for clients… However I notice that the only port required to connect from outside our firewall is 5222 which is supposed to be the none-SSL connection. when I view connected sessions within the Openfire console I notice the little padlock next to status, but how can I verify the traffic and authentication is SSL encrypted? What is the difference between forcing SSL client connectivity and the encryption option within a specific chat session initiated by the end user?
5222 is used for both non-SSL and SSL connections. If you see a padlock symbol in Spark or on the Sessions page in Admin Console, this means that this client/connection is using SSL. If you want to be SURE, try sniffing the traffic between this client and a server and make sure you can’t read anything. The encryption option in the chat window is OTR (off-the-record). This is a built-in client only option, which lets a user turn this on and if both sides have this turned on, then they coversation is encrypted and can’t be recorded by a third party or on the server.
Thanks for your reply. Very helpful. So when making your Openfire accessible from the web via SSL, do you have to open 5222 and 5223 on your firewall or just 5222?