powered by Jive Software

Security bug: openfire offers and negotiates SASL mechanisms over unencrypted connection

even if the server property xmpp.client.tls.policy is set to required, Openfire will offer sasl mechanisms, including plain.

It looks like several bugs here:

first, if tls is required OF should probably not be offering SASL mechanisms until starttls has been negotiated.

Second, if the client still attempts to use SASL over an unencrypted connection (when tls is required), OF should not negotiate (in particular, it should not indicate success for an SASL plain authentication attempt).

Third, OF probably shouldn’t be sending an empty stream:features tag. I would guess that the right thing to do would be to simply offer the starttls feature again – or possibly close the stream.

Opened issue JM-1192 for this.