powered by Jive Software

Security question: "starttls required" ignored while authenticating

Hi everybody.

I have an OpenFire server with the “Client Connection Security” option under “Server Settings”/“Security Settings” set to “Required”.

In my understanding this forces the server to accept only TLS connections from the clients.

But if a client doesn’t send the starttls command, the server accepts unencrypted connections. This is the trace:

the client starts the connection

SENT: <stream:stream xmlns:stream=“http://etherx.jabber.org/streams” id=“fc08c8ec” xmlns=“jabber:client” to=“numero5” version=“1.0”>

the server replies with required starttls

RECV: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“numero5” id=“7b311ecf” xml:lang=“en” version=“1.0”>stream:featuresDIGEST-MD5PLAINANONYMOUSCRAM-MD5</mech anism></stream:features>

the client ignores the starttls

SENT:

the server authenticates the user

RECV: cmVhbG09Im51bWVybzUiLG5vbmNlPSJvVGl5Ri tadFhOcHhBdU03TjhHeTB0SVFMYy9TcUZjOHc3MFM3VlZ0Iixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLT gsYWxnb3JpdGhtPW1kNS1zZXNz

SENT: dXNlcm5hbWU9ImFkbWluIixyZWFsbT0ibnVtZX JvNSIsbm9uY2U9Im9UaXlGK1p0WE5weEF1TTdOOEd5MHRJUUxjL1NxRmM4dzcwUzdWVnQiLGNub25jZT 0iMzgzNDMzM2E2MTY0NmQ2OTZlM2E2MTY0NmQ2OTZlIixuYz0wMDAwMDAwMSxxb3A9YXV0aCxkaWdlc3 QtdXJpPSJ4bXBwL251bWVybzUiLHJlc3BvbnNlPTAxYTRlN2QzMWZhMDkzMjgxOTZlYjE1Y2ZhYjQwYm QzLGNoYXJzZXQ9dXRmLTg=

RECV: cnNwYXV0aD0xM2I1ZmRhN2MwYWVlMDYxNDI5ZT g4ZjdmNzQ1ZWRiNQ==

SENT: <stream:stream xmlns:stream=“http://etherx.jabber.org/streams” id=“190bb394” xmlns=“jabber:client” to=“numero5” version=“1.0”>

RECV: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“numero5” id=“7b311ecf” xml:lang=“en” version=“1.0”>stream:features</stream:features>

Is there a way to force the server to accept only encrypted connections?

Thanks!