Vulnerability found on OpenFire version 3.8.2 installed on windows 2008 R2 server
TLS 1.0 (and higher) and SSL 3.0 (and higher) are vulnerable to man-in-the-middle style attacks.
The flaw is specific to the renegotiation phase within the protocol. An attacker can potentially inject arbitrary plaintext into an application’s protocol stream. This action can lead to numerous results, including attacks on Certificate Authentication mechanisms. This issue affects multiple platforms/vendors/applications which use the affected protocols.
Several vendors have released httpd update packages. The OpenSSL Repository also contains an update for OpenSSL.
It should be noted that initial patches simply mitigate the problem by disabling renegotiation rather than solving the problem completely.