I have the same question. This is what I see, which is OBVIOUSLY not a SSL encrypted string. Its an encoded or compressed string of some kind.
[truncated] \262\311M-.NLOU\310L\261U\362\362\21374QR(\251,H\265UJ\316H,\001\262\363m\225\2 14\214\222M\f\215\215\214t\323R\023\215uM\222\315-t\223R\r\322\200\3344\203d\203 \024\240@\262\211CIFf^6H\217^NbJA\261^r~\256\222\235MR~J\245]FjN\201
In my admin tool there IS NOT a padlock icon next to the users session and so I know the connection is not SSL. Also, openfire admin is set for “SSL Disabled” in the server properties.
In any case, my friend insists Openfire is making an SSL connection but I disagree. Does anyone understand the encoding of this protocol enough so that I can prove to my friend that this IS NOT ssl encrypted?