diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/net/ClientTrustManager.java b/xmppserver/src/main/java/org/jivesoftware/openfire/net/ClientTrustManager.java index 6a8a2e8296..b17a18c2c5 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/net/ClientTrustManager.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/net/ClientTrustManager.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Jive Software, 2017-2025 Ignite Realtime Foundation. All rights reserved. + * Copyright (C) 2004-2008 Jive Software, 2017-2026 Ignite Realtime Foundation. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -48,6 +48,9 @@ import javax.net.ssl.X509TrustManager; +import org.jivesoftware.openfire.XMPPServer; +import org.jivesoftware.openfire.spi.ConnectionListener; +import org.jivesoftware.openfire.spi.ConnectionType; import org.jivesoftware.util.CertificateManager; import org.jivesoftware.util.JiveGlobals; import org.slf4j.Logger; @@ -62,7 +65,9 @@ * * @author Gaston Dombiak * @author Jay Kline + * @deprecated Replaced by org.jivesoftware.openfire.keystore.OpenfireX509TrustManager */ +@Deprecated(forRemoval = true, since = "5.1.0") // Remove in or after Openfire 5.2.0 public class ClientTrustManager implements X509TrustManager { private static final Logger Log = LoggerFactory.getLogger(ClientTrustManager.class); @@ -170,6 +175,8 @@ public void checkClientTrusted(X509Certificate[] x509Certificates, String string loadCRL(); + final ConnectionListener connectionListener = XMPPServer.getInstance().getConnectionManager().getListener(ConnectionType.SOCKET_C2S, false); + boolean verify = JiveGlobals.getBooleanProperty("xmpp.client.certificate.verify", true); if (verify) { int nSize = x509Certificates.length; @@ -251,7 +258,7 @@ public void checkClientTrusted(X509Certificate[] x509Certificates, String string } } - if (JiveGlobals.getBooleanProperty("xmpp.client.certificate.verify.validity", true)) { + if (connectionListener.verifyCertificateValidity()) { // For every certificate in the chain, verify that the certificate // is valid at the current time. Date date = new Date(); @@ -335,7 +342,8 @@ public void checkServerTrusted(X509Certificate[] x509Certificates, String string @Override public X509Certificate[] getAcceptedIssuers() { - if (JiveGlobals.getBooleanProperty("xmpp.client.certificate.accept-selfsigned", false)) { + final ConnectionListener connectionListener = XMPPServer.getInstance().getConnectionManager().getListener(ConnectionType.SOCKET_C2S, false); + if (connectionListener.acceptSelfSignedCertificates()) { // Answer an empty list since we accept any issuer return new X509Certificate[0]; } diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/net/ServerStanzaHandler.java b/xmppserver/src/main/java/org/jivesoftware/openfire/net/ServerStanzaHandler.java index b2d57c48f2..ee91d22a1a 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/net/ServerStanzaHandler.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/net/ServerStanzaHandler.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005-2008 Jive Software, 2017-2023 Ignite Realtime Foundation. All rights reserved. + * Copyright (C) 2005-2008 Jive Software, 2017-2026 Ignite Realtime Foundation. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -134,9 +134,10 @@ void createSession(String serverName, XmlPullParser xpp, Connection connection) @Override void startTLS() throws Exception { + final boolean acceptSelfSignedCerts = connection.getConfiguration().isAcceptSelfSignedCertificates(); boolean needed = JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_VERIFY, true) && JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_CHAIN_VERIFY, true) && - !JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS, false); + !acceptSelfSignedCerts; //needed ? Connection.ClientAuth.needed : Connection.ClientAuth.wanted connection.startTLS(false, false); } diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/net/ServerTrustManager.java b/xmppserver/src/main/java/org/jivesoftware/openfire/net/ServerTrustManager.java index 6604222500..f4a0ea4623 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/net/ServerTrustManager.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/net/ServerTrustManager.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Jive Software, 2017-2025 Ignite Realtime Foundation. All rights reserved. + * Copyright (C) 2004-2008 Jive Software, 2017-2026 Ignite Realtime Foundation. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,8 +16,8 @@ package org.jivesoftware.openfire.net; -import org.jivesoftware.openfire.session.ConnectionSettings; -import org.jivesoftware.util.JiveGlobals; +import org.jivesoftware.openfire.XMPPServer; +import org.jivesoftware.openfire.spi.ConnectionType; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -36,7 +36,9 @@ * certificates or certificates of unknown issuers and manually accept them. * * @author Gaston Dombiak + * @deprecated Replaced by org.jivesoftware.openfire.keystore.OpenfireX509TrustManager */ +@Deprecated(forRemoval = true, since = "5.1.0") // Remove in or after Openfire 5.2.0 public class ServerTrustManager implements X509TrustManager { private static final Logger Log = LoggerFactory.getLogger(ServerTrustManager.class); @@ -86,7 +88,8 @@ public void checkServerTrusted(X509Certificate[] x509Certificates, String string @Override public X509Certificate[] getAcceptedIssuers() { - if (JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS, false)) { + final boolean acceptSelfSignedCertificates = XMPPServer.getInstance().getConnectionManager().getListener(ConnectionType.SOCKET_S2S, false).acceptSelfSignedCertificates(); + if (acceptSelfSignedCertificates) { // Answer an empty list since we accept any issuer return new X509Certificate[0]; } diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/net/TLSStreamHandler.java b/xmppserver/src/main/java/org/jivesoftware/openfire/net/TLSStreamHandler.java index 73444b7fe4..edccd6951a 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/net/TLSStreamHandler.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/net/TLSStreamHandler.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005-2008 Jive Software, 2017-2022 Ignite Realtime Foundation. All rights reserved. + * Copyright (C) 2005-2008 Jive Software, 2017-2026 Ignite Realtime Foundation. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -136,8 +136,7 @@ else if (configuration.getClientAuth() == Connection.ClientAuth.needed) { // Only REQUIRE client authentication if we are fully verifying certificates if (JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_VERIFY, true) && JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_CHAIN_VERIFY, true) && - !JiveGlobals - .getBooleanProperty(ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS, false)) + !configuration.isAcceptSelfSignedCertificates()) { tlsEngine.setNeedClientAuth(true); } diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/server/ServerDialback.java b/xmppserver/src/main/java/org/jivesoftware/openfire/server/ServerDialback.java index fd7c62adc1..f53a92a8b3 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/server/ServerDialback.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/server/ServerDialback.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005-2008 Jive Software, 2016-2025 Ignite Realtime Foundation. All rights reserved. + * Copyright (C) 2005-2008 Jive Software, 2016-2026 Ignite Realtime Foundation. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -135,22 +135,21 @@ public static boolean isEnabled() { * certificate. */ public static boolean isEnabledForSelfSigned() { - return JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS, false); + // Allowance for self-signed certificates is based on the configuration for all server-to-server connections. + return XMPPServer.getInstance().getConnectionManager().getListener(ConnectionType.SOCKET_S2S, false).acceptSelfSignedCertificates(); } /** - * Sets if server dialback can be used when the remote server presented a self-signed - * certificate. During TLS the remote server can present a self-signed certificate, if this - * setting is enabled then the self-signed certificate will be accepted and if SASL EXTERNAL - * is not offered then server dialback will be used for verifying the remote server.

+ * This (unexpectedly/incorrectly) affected the configuration of all socket-s2s connections, not just those of + * Dialback connections. This is unlikely what is desired. * - * If self-signed certificates are accepted then server dialback over TLS is enabled. - * - * @param enabled if server dialback can be used when the remote server presented a self-signed - * certificate. + * @param enabled if server dialback can be used when the remote server presented a self-signed certificate. + * @deprecated Instead, set the connection listener property for socket-s2s connections in {@link org.jivesoftware.openfire.spi.ConnectionListener#setAcceptSelfSignedCertificates(boolean)} */ - public static void setEnabledForSelfSigned(boolean enabled) { - JiveGlobals.setProperty(ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS, Boolean.toString(enabled)); + @Deprecated(forRemoval = true, since = "5.1.0") + public static void setEnabledForSelfSigned(boolean enabled) + { + XMPPServer.getInstance().getConnectionManager().getListener(ConnectionType.SOCKET_S2S, false).setAcceptSelfSignedCertificates(enabled); } /** diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/session/ConnectionSettings.java b/xmppserver/src/main/java/org/jivesoftware/openfire/session/ConnectionSettings.java index 62acb0f650..6a477cf2ff 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/session/ConnectionSettings.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/session/ConnectionSettings.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017-2025 Ignite Realtime Foundation. All rights reserved. + * Copyright (C) 2017-2026 Ignite Realtime Foundation. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -108,11 +108,36 @@ public static final class Server { public static final String DIALBACK_ENABLED = "xmpp.server.dialback.enabled"; public static final String TLS_POLICY = "xmpp.server.tls.policy"; + /** + * @deprecated Use {@link org.jivesoftware.openfire.spi.ConnectionListener#acceptSelfSignedCertificates()} and {@link org.jivesoftware.openfire.spi.ConnectionListener#setAcceptSelfSignedCertificates(boolean)} instead. + */ + @Deprecated(forRemoval = true, since = "5.1.0") public static final String TLS_ACCEPT_SELFSIGNED_CERTS = "xmpp.server.certificate.accept-selfsigned"; + + /** + * @deprecated Redundant - setting this property does not seem to have a meaningful effect. + */ + @Deprecated(forRemoval = true, since = "5.1.0") // Remove in or after Openfire 5.2.0 public static final String TLS_CERTIFICATE_VERIFY = "xmpp.server.certificate.verify"; + + /** + * @deprecated Use {@link org.jivesoftware.openfire.spi.ConnectionListener#verifyCertificateValidity()} and {@link org.jivesoftware.openfire.spi.ConnectionListener#setVerifyCertificateValidity(boolean)} instead. + */ + @Deprecated(forRemoval = true, since = "5.1.0") public static final String TLS_CERTIFICATE_VERIFY_VALIDITY = "xmpp.server.certificate.verify.validity"; + + /** + * @deprecated This property is unused. + */ + @Deprecated(forRemoval = true, since = "5.1.0") // Remove in or after Openfire 5.2.0 public static final String TLS_CERTIFICATE_ROOT_VERIFY = "xmpp.server.certificate.verify.root"; + + /** + * @deprecated Redundant - setting this property does not seem to have a meaningful effect. + */ + @Deprecated(forRemoval = true, since = "5.1.0") // Remove in or after Openfire 5.2.0 public static final String TLS_CERTIFICATE_CHAIN_VERIFY = "xmpp.server.certificate.verify.chain"; + public static final String TLS_ON_PLAIN_DETECTION_ALLOW_NONDIRECTTLS_FALLBACK = "xmpp.server.tls.on-plain-detection-allow-nondirecttls-fallback"; /** diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionListener.java b/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionListener.java index 62d7b19060..ba38696c74 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionListener.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionListener.java @@ -20,6 +20,7 @@ import org.jivesoftware.openfire.XMPPServer; import org.jivesoftware.openfire.keystore.CertificateStoreConfiguration; import org.jivesoftware.openfire.net.SocketConnection; +import org.jivesoftware.openfire.session.ConnectionSettings; import org.jivesoftware.util.JiveGlobals; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -712,18 +713,30 @@ public void setTrustStoreConfiguration( CertificateStoreConfiguration configurat */ public boolean acceptSelfSignedCertificates() { - // TODO these are new properties! Deprecate (migrate?) all existing 'accept-selfsigned properties' (Eg: org.jivesoftware.openfire.session.ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS ) - final String propertyName = type.getPrefix() + "certificate.accept-selfsigned"; final boolean defaultValue = false; - if ( type.getFallback() == null ) - { - return JiveGlobals.getBooleanProperty( propertyName, defaultValue ); - } - else + // Recursively check the old properties at every step in the fallback chain. + ConnectionType currentType = type; + while (currentType != null) { - return JiveGlobals.getBooleanProperty( propertyName, getConnectionListener( type.getFallback() ).acceptSelfSignedCertificates() ); + // This checks the 'old' properties, that have been marked as deprecated in Openfire 5.1.0 (OF-3259) + if (currentType == ConnectionType.SOCKET_S2S && JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS, defaultValue)) { + return true; + } + if (currentType.isClientOriented() && JiveGlobals.getBooleanProperty("xmpp.client.certificate.accept-selfsigned", defaultValue)) { + return true; + } + + // This checks the 'new' properties. + final String propertyName = currentType.getPrefix() + "certificate.accept-selfsigned"; + if (JiveGlobals.getProperty(propertyName) != null) { + return JiveGlobals.getBooleanProperty(propertyName, defaultValue); + } + + // Recursively check the fallback properties. + currentType = currentType.getFallback(); } + return defaultValue; } /** @@ -756,18 +769,30 @@ public void setAcceptSelfSignedCertificates( boolean accept ) */ public boolean verifyCertificateValidity() { - // TODO these are new properties! Deprecate (migrate?) all existing 'verify / verify-validity properties' (Eg: org.jivesoftware.openfire.session.ConnectionSettings.Server.TLS_CERTIFICATE_VERIFY_VALIDITY ) - final String propertyName = type.getPrefix() + "certificate.verify.validity"; final boolean defaultValue = true; - if ( type.getFallback() == null ) - { - return JiveGlobals.getBooleanProperty( propertyName, defaultValue ); - } - else + // Recursively check the old properties at every step in the fallback chain. + ConnectionType currentType = type; + while (currentType != null) { - return JiveGlobals.getBooleanProperty( propertyName, getConnectionListener( type.getFallback() ).verifyCertificateValidity() ); + // This checks the 'old' properties, that have been marked as deprecated in Openfire 5.1.0 (OF-3259) + if (currentType == ConnectionType.SOCKET_S2S && !JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_VERIFY_VALIDITY, defaultValue)) { + return false; + } + if (currentType.isClientOriented() && !JiveGlobals.getBooleanProperty("xmpp.client.certificate.verify.validity", defaultValue)) { + return false; + } + + // This checks the 'new' properties. + final String propertyName = currentType.getPrefix() + "certificate.verify.validity"; + if (JiveGlobals.getProperty(propertyName) != null) { + return JiveGlobals.getBooleanProperty(propertyName, defaultValue); + } + + // Recursively check the fallback properties. + currentType = currentType.getFallback(); } + return defaultValue; } /**