Build #2,927

Plan branch:

Build: #2927 was successful

Job: RPM Workflow was successful

Stages & jobs

  1. Build and Package

Code commits

Openfire (master)

  • Guus der Kinderen

    Guus der Kinderen 5a01e4b59a323defbbe9a3bde11aa01976202c55

    Ensure authentication is reported as failed when user is locked out

    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version 5a01e4b59a323defbbe9a3bde11aa01976202c55)
  • Guus der Kinderen

    Guus der Kinderen 106ede644a5b7d6e3e3111294826a35e7bb95814

    Set incoming server auth method from negotiated SASL mechanism
    Stop assuming inbound s2s SASL authentication always uses EXTERNAL. When SASL succeeds, derive `ServerSession.AuthenticationMethod` from the actual negotiated mechanism name instead:

    - EXTERNAL -> SASL_EXTERNAL
    - any other mechanism -> OTHER

    This makes session state reflect the real authentication method used and removes brittle coupling to current mechanism availability.

    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version 106ede644a5b7d6e3e3111294826a35e7bb95814)
    • xmppserver/src/main/java/org/jivesoftware/openfire/session/ServerSession.java (version 106ede644a5b7d6e3e3111294826a35e7bb95814)
    • xmppserver/src/test/java/org/jivesoftware/openfire/net/SASLAuthenticationTest.java (version 106ede644a5b7d6e3e3111294826a35e7bb95814)
    • xmppserver/src/test/java/org/jivesoftware/openfire/session/ServerSessionTest.java (version 106ede644a5b7d6e3e3111294826a35e7bb95814)
  • Guus der Kinderen

    Guus der Kinderen fe8786170abc484fc48936d237dacb928ad75069

    Optimize SASL mechanism validation by avoiding unnecessary XML conversions
    Replace Element-based mechanism lookups with direct set operations. Eliminates redundant dom4j manipulation.

    Adds unit test coverage

    None of this is expected to introduce functional changes. Pre-existing public method signatures are left intact for backwards compatibility.

    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version fe8786170abc484fc48936d237dacb928ad75069)
    • xmppserver/src/test/java/org/jivesoftware/openfire/net/SASLAuthenticationTest.java (version fe8786170abc484fc48936d237dacb928ad75069)
  • Guus der Kinderen

    Guus der Kinderen a1c184c4df4e6c7d101f8a00887d160e6813d339

    Minor fixes for code review findings

    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version a1c184c4df4e6c7d101f8a00887d160e6813d339)
  • Guus der Kinderen

    Guus der Kinderen f9d4cc53d362f91d674377b6aa1eb7bb545a3f53

    OF-3268: Refactor SASL EXTERNAL S2S success path to remove duplicate checks
    Remove redundant inbound S2S post-auth verification from `SASLAuthentication.handle(...)` after `saslServer.isComplete()`.

    For SASL EXTERNAL, certificate/domain verification is already performed by `ExternalServerSaslServer.evaluateResponse(...)`, while authentication method assignment is already handled in `authenticationSuccessful(...)`.

    This change simplifies control flow and clarifies responsibility without intended behavior change.

    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version f9d4cc53d362f91d674377b6aa1eb7bb545a3f53)
  • Guus der Kinderen

    Guus der Kinderen eab4eac041fc0ab7cef07b58b18c9a1898fa1b18

    OF-3273: Enforce session-eligible SASL mechanism validation during authentication
    Ensure SASL mechanism selection in `SASLAuthentication.handle(...)` is constrained to the mechanisms available for the current session, matching stream feature advertisement behavior.

    Previously, Openfire validated mechanisms against globally enabled configuration only, which allowed peers to attempt mechanisms that were not advertised for a specific connection/session type. This change adds a session-scoped eligibility check and rejects non-available mechanisms with `invalid-mechanism`. This aligns mechanism acceptance with negotiated capabilities and prevents use of mechanisms outside per-session policy.

    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version eab4eac041fc0ab7cef07b58b18c9a1898fa1b18)
    • xmppserver/src/test/java/org/jivesoftware/openfire/net/SASLAuthenticationTest.java (version eab4eac041fc0ab7cef07b58b18c9a1898fa1b18)
  • Guus der Kinderen

    Guus der Kinderen e650e47c5fb1cb0d398fddc5daa8a651b885a678

    (code review) Gate SASL EXTERNAL advertisement on enabled mechanisms
    Only include EXTERNAL in available server-session mechanisms when it is enabled/supported, preventing it from being advertised in stream features when disabled in sasl.mechs.

    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version e650e47c5fb1cb0d398fddc5daa8a651b885a678)
    • xmppserver/src/test/java/org/jivesoftware/openfire/net/SASLAuthenticationTest.java (version e650e47c5fb1cb0d398fddc5daa8a651b885a678)
  • Guus der Kinderen

    Guus der Kinderen ed9cd64e96ed0c836a618274d9d2b3d6cb63b9b6

    OF-2957: Bump Netty from 4.2.12 to 4.2.13

    • pom.xml (version ed9cd64e96ed0c836a618274d9d2b3d6cb63b9b6)
  • Scott Milne <smilne1282@gmail.com>

    Scott Milne <smilne1282@gmail.com> 9045deaf7e7e258bcfba4e07fe8091f48ddc0c22

    Fix S2S dialback not offered in post-TLS features when self-signed certs accepted
    ServerDialback.isEnabledForSelfSigned() reads the legacy property
    xmpp.server.certificate.accept-selfsigned (TLS_ACCEPT_SELFSIGNED_CERTS),
    but ConnectionListener.setAcceptSelfSignedCertificates() — which backs the
    Admin Console UI checkbox — writes to the per-connection-type prefixed
    property xmpp.socket.ssl.certificate.accept-selfsigned. These diverged when
    per-type prefixed properties were introduced but the readers in ServerDialback
    were not updated.

    The consequence is that after a successful TLS handshake with a self-signed
    peer certificate, LocalIncomingServerSession.getAvailableStreamFeatures() calls
    isEnabledForSelfSigned(), gets false, and omits <db:dialback> from the post-TLS
    <stream:features>. The connecting server then finds no usable authentication
    mechanism and closes the connection. This causes all encrypted S2S connections
    to fail silently when the only option is dialback, even if the operator has
    enabled self-signed certificate acceptance via the UI.

    Fix: check both property names in isEnabledForSelfSigned(), preserving full
    backwards compatibility with installations that have the legacy property set.

    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

    • xmppserver/src/main/java/org/jivesoftware/openfire/server/ServerDialback.java (version 9045deaf7e7e258bcfba4e07fe8091f48ddc0c22)
  • Guus der Kinderen

    Guus der Kinderen 08655d86eddd06c53610dbf5a65b66c91683cf89

    OF-3259: Deprecate legacy self-signed certificate properties and unify configuration
    In OF-946 refactor, connection configuration introduced per-type prefixed properties. However, not all usages of the legacy properties were migrated. As a result, some functionality still depends on the old properties while others use the new ones (sometimes even within related features) leading to inconsistent and incompatible behavior (e.g., server-to-server uses new properties, while Dialback relies on legacy ones).

    This commit deprecates the legacy `xmpp.server.certificate.accept-selfsigned` and xmpp.client.certificate.accept-selfsigned` properties in favor of `ConnectionListener#acceptSelfSignedCertificates`.

    Changes:
    - Add fallback: the new configuration uses the legacy property if it is explicitly set.
    - Migrate all remaining usages from the legacy property to the new configuration.

    This ensures consistent behavior across all connection types and prevents configuration mismatches.

    • xmppserver/src/main/java/org/jivesoftware/openfire/net/ClientTrustManager.java (version 08655d86eddd06c53610dbf5a65b66c91683cf89)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/ServerStanzaHandler.java (version 08655d86eddd06c53610dbf5a65b66c91683cf89)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/ServerTrustManager.java (version 08655d86eddd06c53610dbf5a65b66c91683cf89)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/TLSStreamHandler.java (version 08655d86eddd06c53610dbf5a65b66c91683cf89)
    • xmppserver/src/main/java/org/jivesoftware/openfire/server/ServerDialback.java (version 08655d86eddd06c53610dbf5a65b66c91683cf89)
    • xmppserver/src/main/java/org/jivesoftware/openfire/session/ConnectionSettings.java (version 08655d86eddd06c53610dbf5a65b66c91683cf89)
    • xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionListener.java (version 08655d86eddd06c53610dbf5a65b66c91683cf89)
  • Guus der Kinderen

    Guus der Kinderen 34fe107014cab945dadb7c5a5435f3df140e4055

    OF-3259: Deprecate legacy certificate validity verification properties and unify configuration
    In OF-946 refactor, connection configuration introduced per-type prefixed properties. However, not all usages of the legacy properties were migrated. As a result, some functionality still depends on the old properties while others use the new ones (sometimes even within related features) leading to inconsistent and incompatible behavior (e.g., server-to-server uses new properties, while Dialback relies on legacy ones).

    This commit deprecates the legacy `xmpp.server.certificate.verify.validity` and `xmpp.client.certificate.verify.validity` properties in favor of `ConnectionListener#verifyCertificateValidity`.

    Changes:
    - Add fallback: the new configuration uses the legacy property if it is explicitly set.
    - Migrate all remaining usages from the legacy property to the new configuration.

    This ensures consistent behavior across all connection types and prevents configuration mismatches.

    • xmppserver/src/main/java/org/jivesoftware/openfire/net/ClientTrustManager.java (version 34fe107014cab945dadb7c5a5435f3df140e4055)
    • xmppserver/src/main/java/org/jivesoftware/openfire/session/ConnectionSettings.java (version 34fe107014cab945dadb7c5a5435f3df140e4055)
    • xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionListener.java (version 34fe107014cab945dadb7c5a5435f3df140e4055)
  • Guus der Kinderen

    Guus der Kinderen 08a89cbcbae2a95a5d0ad7675517f22fb0d645bf

    Mark unused xmpp.server.certificate and xmpp.client.certificate properties for removal
    `org.jivesoftware.openfire.net.ClientTrustManager` has been replaced by `org.jivesoftware.openfire.keystore.OpenfireX509TrustManager` at least a decade ago. It is unlikely that it's still being used.

    These properties are used _exclusively_ by this old implementation. As that implementation isn't in use any more, these properties are effectively unused.

    - `xmpp.client.certificate.verify`
    - `xmpp.client.certificate.crl`
    - `xmpp.client.certificate.verify.chain`
    - `xmpp.client.certificate.verify.root`

    This commit explicitly marks the `ClientTrustManager` as being deprecated, for removal in Openfire 5.2.0. I don't think there's much value in retaining the properties, as their functionality seems questionably specific. Apparently, it hasn't been missed in the last decade.

    There properties above are specific to client connectivity.

    For server connectivity, things are slightly different. There also exists `org.jivesoftware.openfire.net.ServerTrustManager` which also goes unused. It is unlikely that it's still begin used. This implementation, unlike its client-counterpart, does not (directly) use similar properties.

    This commit explicitly marks the `ServerTrustManager` as being deprecated, for removal in Openfire 5.2.0.

    The properties mentioned above have server-equivalents:
    - `xmpp.server.certificate.verify`
    - `xmpp.server.certificate.verify.chain`
    - `xmpp.server.certificate.verify.root`

    (`xmpp.server.certificate.crl` is not defined)

     Unlike the client properties, these server properties are used in other bits of code.

    `xmpp.server.certificate.verify` (as constant `org.jivesoftware.openfire.session.ConnectionSettings.Server#TLS_CERTIFICATE_VERIFY`)
    - appears to be used in `org.jivesoftware.openfire.net.SASLAuthentication` to assert if, for every server-to-server SASL authentication mechanism applied to incoming server-to-server connections, the peer's certificates should be validated. There's just one SASL mechanism for incoming server-to-server connections, which is EXTERNAL. Its implementation seems to unconditionally verify certificates in `org.jivesoftware.openfire.sasl.ExternalServerSaslServer` - the SASL mechanisms that we offer to server peers (in `org.jivesoftware.openfire.net.SASLAuthentication`) only offers EXTERNAL when the peer's certificates are unconditionally validated. In this path, the property doesn't seem to be useful.
    - is used in `org.jivesoftware.openfire.net.ServerStanzaHandler` to populate a variable that is not used. In this path, the property does not seem to be useful either.
    - is used in `org.jivesoftware.openfire.net.TLSStreamHandler` to configure a TLS Engine, specifically to check if a peer's certificate is wanted, or needed. `TLSStreamHandler` itself is used by `org.jivesoftware.openfire.server.ServerDialback` and `org.jivesoftware.openfire.net.SocketConnection` (which is documented to be used only for Server Dialback). Server Dialback is a mechanism used when SASL EXTERNAL (which is based on TLS certifiate validation) is unavailable. It seems unlikely that low-level configuration of TLS certificates is required (or even desired) for Server Dialback.

    In all, `xmpp.server.certificate.verify` seems to be largely unused.

    `xmpp.server.certificate.verify.chain` (as constant `org.jivesoftware.openfire.session.ConnectionSettings.Server#TLS_CERTIFICATE_CHAIN_VERIFY`)
    - is used in `org.jivesoftware.openfire.net.ServerStanzaHandler` to populate a variable that is not used. In this path, the property does not seem to be useful.
    - is used in `org.jivesoftware.openfire.net.TLSStreamHandler` to configure a TLS Engine, specifically to check if a peer's certificate is wanted, or needed. TLSStreamHandler itself is used by `org.jivesoftware.openfire.server.ServerDialback` and `org.jivesoftware.openfire.net.SocketConnection` (which is documented to be used only for Server Dialback). Server Dialback is a mechanism used when SASL EXTERNAL (which is based on TLS certifiate validation) is unavailable. It seems unlikely that low-level configuration of TLS certificates is required (or even desired) for Server Dialback.

    In all, `xmpp.server.certificate.verify.chain` seems to be largely unused.

    `xmpp.server.certificate.verify.root` (as constant `org.jivesoftware.openfire.session.ConnectionSettings.Server#TLS_CERTIFICATE_ROOT_VERIFY`)
    - Only defined as a constant, but the constant is not used.

    I believe all of the above is reason to phase out all of these properties:
    - `xmpp.client.certificate.verify`
    - `xmpp.client.certificate.crl`
    - `xmpp.client.certificate.verify.chain`
    - `xmpp.client.certificate.verify.root`
    - `xmpp.server.certificate.verify`
    - `xmpp.server.certificate.verify.chain`
    - `xmpp.server.certificate.verify.root`

    Unlike the properties `xmpp.server.certificate.verify.validity`, `xmpp.client.certificate.verify.validity`, `xmpp.server.certificate.accept-selfsigned` and xmpp.client.certificate.accept-selfsigned` that have been deprecated in earlier commits, but have been replaced by `ConnectionListener` functionality, I see little value in introducing new functionality in `ConnectionListener` to match the properties above.

    In this commit, I have marked the constants that define the properties above as being deprecated, for removal in Openfire 5.2.0. Properties for which no constant is defined are used in code that is already marked for removal, so they'll disappear automatically.

    • xmppserver/src/main/java/org/jivesoftware/openfire/net/ClientTrustManager.java (version 08a89cbcbae2a95a5d0ad7675517f22fb0d645bf)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/ServerTrustManager.java (version 08a89cbcbae2a95a5d0ad7675517f22fb0d645bf)
    • xmppserver/src/main/java/org/jivesoftware/openfire/session/ConnectionSettings.java (version 08a89cbcbae2a95a5d0ad7675517f22fb0d645bf)
  • Guus der Kinderen

    Guus der Kinderen 238f9af1465e5af631c0d4066a4f3560576048f4

    OF-3272: Increase unit test coverage for CsiManager

    • xmppserver/src/test/java/org/jivesoftware/openfire/csi/CsiManagerTest.java (version 238f9af1465e5af631c0d4066a4f3560576048f4)
  • Guus der Kinderen

    Guus der Kinderen 75b1d41c24bbf198cafea94d946d427106b31922

    OF-3272: Fix concurrency (and off-by-one) issue in CSI
    The implementation was partially synchronized, but lacked synchronization on activate/deactivate. By marking both methods as synchronized, there no longer is a data race.

    In activate, the rescheduling of queued stanzas was previously performed outside of a lock, although its execution (in `queueOrPush`) was fully synchronized. Because of that, I don't expect this commit to introduce significant more (possibly problematic, remember Stream Management?) locking.

    This commit also addresses a minor off-by-one error when checking the queue capacity.

    • xmppserver/src/main/java/org/jivesoftware/openfire/csi/CsiManager.java (version 75b1d41c24bbf198cafea94d946d427106b31922)
  • Guus der Kinderen

    Guus der Kinderen 9059f5cbd6658dc0a2323be3cd4f6752a28b91dc

    OF-3272 CSI: flush delayed queue outside lock and serialize activation flush
    Refactor CSI activation flushing to avoid holding the CsiManager monitor during delivery I/O and preserve stanza ordering across activation.

    • xmppserver/src/main/java/org/jivesoftware/openfire/csi/CsiManager.java (version 9059f5cbd6658dc0a2323be3cd4f6752a28b91dc)
    • xmppserver/src/main/java/org/jivesoftware/openfire/session/LocalClientSession.java (version 9059f5cbd6658dc0a2323be3cd4f6752a28b91dc)
    • xmppserver/src/test/java/org/jivesoftware/openfire/csi/CsiManagerTest.java (version 9059f5cbd6658dc0a2323be3cd4f6752a28b91dc)
  • Dave Cridland <dave@cridland.net>

    Dave Cridland <dave@cridland.net> d92d48ac2ed3b69391b4c62ddf98ff9ad5952c5b

    fix: synchronize CsiManager.activate() and flush full queue atomically
    activate() was not synchronized, causing a race with queueOrPush() on
    the shared queue field. It also used an indirect flush (pollLast + re-
    deliver) that could lose stanzas queued between pollLast and the re-
    entry into queueOrPush.

    Fix: drain the entire queue atomically under the lock, set active=true,
    then deliver all stanzas outside the lock so I/O does not block other
    threads from queuing new stanzas.

    Co-authored-by: Junie <junie@jetbrains.com>

    • xmppserver/src/main/java/org/jivesoftware/openfire/csi/CsiManager.java (version d92d48ac2ed3b69391b4c62ddf98ff9ad5952c5b)
  • Guus der Kinderen

    Guus der Kinderen 3332aec459a99ba5713079bac3b8d0ffaf83d72d

    (code review) remove redundant check for empty collection

    • xmppserver/src/main/java/org/jivesoftware/openfire/session/LocalClientSession.java (version 3332aec459a99ba5713079bac3b8d0ffaf83d72d)
  • Guus der Kinderen

    Guus der Kinderen f9cd191b6b84d7428fd3d3344336ffee8d3257a4

    OF-3277: Introduce helper method to determine database 'limit' keyword
    The SQL LIMIT clause is not portable across the databases Openfire supports. SQL Server, for example, uses `SELECT TOP`.

    Up until now, code had to interrogate the type of database to find out what variant to be used. In this commit, this information is exposed as metadata.

    Small changes have been applid to the pubsub persistence implementation. It is expected that the Monitoring plugin (and others) benefit from this, too.

    • xmppserver/src/main/java/org/jivesoftware/database/DbConnectionManager.java (version f9cd191b6b84d7428fd3d3344336ffee8d3257a4)
    • xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/DefaultPubSubPersistenceProvider.java (version f9cd191b6b84d7428fd3d3344336ffee8d3257a4)
    • xmppserver/src/test/java/org/jivesoftware/database/DbConnectionManagerTest.java (version f9cd191b6b84d7428fd3d3344336ffee8d3257a4)
  • dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

    dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 30292156fdc3515e9e8b34696430bcb54e66d3f4

    Bump org.dbunit:dbunit from 3.0.0 to 3.1.0
    Bumps org.dbunit:dbunit from 3.0.0 to 3.1.0.

    ---
    updated-dependencies:
    - dependency-name: org.dbunit:dbunit
      dependency-version: 3.1.0
      dependency-type: direct:development
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

    • xmppserver/pom.xml (version 30292156fdc3515e9e8b34696430bcb54e66d3f4)
  • Guus der Kinderen

    Guus der Kinderen e9759983513777462a9b082b13d660a645e0cee1

    OF-2694: Add SCRAM-SHA-1-PLUS mechanism with channel binding support
    Introduces SCRAM-SHA-1-PLUS SASL mechanism, implementing RFC 5802 channel binding for TLS.

    Advertise SCRAM-SHA-1-PLUS by default, but only when channel binding is available and session is encrypted.

    • i18n/src/main/resources/openfire_i18n.properties (version e9759983513777462a9b082b13d660a645e0cee1)
    • i18n/src/main/resources/openfire_i18n_nl.properties (version e9759983513777462a9b082b13d660a645e0cee1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version e9759983513777462a9b082b13d660a645e0cee1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/sasl/SaslProvider.java (version e9759983513777462a9b082b13d660a645e0cee1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/sasl/SaslServerFactoryImpl.java (version e9759983513777462a9b082b13d660a645e0cee1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version e9759983513777462a9b082b13d660a645e0cee1)
    • xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerTest.java (version e9759983513777462a9b082b13d660a645e0cee1)
  • Guus der Kinderen

    Guus der Kinderen ea80cd3df604f98a0efa5828a390f9a2e0dd96f3

    OF-2879: Implement XEP-0440: SASL Channel-Binding Type Capability
    With Channel Binding now available (as this commit follows commits that implements these under OF-2694), Openfire should announce what type of channel binding types it supports. The mechanism for this is define in XEP-0440. This commit implements this mechanism.

    Additionally, the channel binding type that is used for a session (if any) is now shown on its 'session details' page on the admin console.

    • documentation/openfire.doap (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • documentation/protocol-support.html (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • i18n/src/main/resources/openfire_i18n.properties (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SocketReadingMode.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/StanzaHandler.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/session/LocalClientSession.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/websocket/WebSocketClientStanzaHandler.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManager.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/webapp/session-details.jsp (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/test/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManagerTest.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
  • Guus der Kinderen

    Guus der Kinderen d226e917c8cba9a3e5edd2c26ea368ce855f7b84

    CI: merge 'cb' and 'demoboot' Maestro tags
    The Conversations tests for channel binding added a second matrix for the `cb` tag, but it uses the same default demoboot config. Test hygiene would say: merge them.

    Basically, Dan told me to do this.

    • .github/workflows/continuous-integration-workflow.yml (version d226e917c8cba9a3e5edd2c26ea368ce855f7b84)
    • build/ci/conversations/flows/cb.yaml (version d226e917c8cba9a3e5edd2c26ea368ce855f7b84)
  • Guus der Kinderen

    Guus der Kinderen 5a2b6fa74d59a1531878ef29d7b56d562a2d2ff3

    OF-2694: Introduce pluggable channel binding providers with manager
    Add a channel binding abstraction consisting of:

    - ChannelBindingProvider interface for extracting channel binding data from an SSLEngine
    - ChannelBindingProviderManager to register, manage, and resolve providers per channel binding type
    - ChannelBindingType enum defining RFC-aligned binding identifiers
    - Comprehensive unit tests covering provider registration, ordering, resolution, and failure handling

    This introduces a best-effort mechanism to obtain channel binding data (as defined in RFC 5705, RFC 5929, and RFC 9266) without introducing hard dependencies on a specific TLS implementation or JDK version.

    The manager maintains an ordered list of providers per channel binding type and iterates through them until one successfully produces a value. Failures are isolated per provider, ensuring graceful degradation.

    Why this is needed

    Channel binding support is highly dependent on the capabilities of the underlying TLS stack and JDK version. Some mechanisms (notably newer exporter-based bindings) are difficult or effectively impossible to implement on older Java versions (e.g., Java 17), even when using reflection.

    At the same time, increasing the minimum required Java version for Openfire is undesirable, as it would negatively impact existing deployments.

    This change introduces a "manager/provider" pattern that:

    - Aligns with existing extensibility mechanisms used elsewhere in the codebase
    - Enables runtime discovery and prioritization of multiple implementations
    - Allows third parties to contribute additional providers via plugins

    Crucially, this design decouples channel binding support from the core runtime:

    - Core Openfire can remain compatible with Java 17
    - Optional plugins can provide advanced implementations that depend on newer Java versions (e.g., Java 25+)

    These plugins can register their providers with the manager at runtime, seamlessly extending functionality without impacting baseline compatibility

    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProvider.java (version 5a2b6fa74d59a1531878ef29d7b56d562a2d2ff3)
    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManager.java (version 5a2b6fa74d59a1531878ef29d7b56d562a2d2ff3)
    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingType.java (version 5a2b6fa74d59a1531878ef29d7b56d562a2d2ff3)
    • xmppserver/src/test/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManagerTest.java (version 5a2b6fa74d59a1531878ef29d7b56d562a2d2ff3)
  • Guus der Kinderen

    Guus der Kinderen c4ed939661fe08a0034a37ce02a07150f51e9e56

    OF-2694: Add tls-server-end-point channel binding provider implementation
    Introduce TlsServerEndPointChannelBindingProvider, an implementation of ChannelBindingProvider for the tls-server-end-point channel binding type as defined in RFC 5929.

    Implements logic to select the appropriate hash algorithm based on certificate signature algorithm, with special handling for RSASSA-PSS and weak hashes.

    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/TlsServerEndPointChannelBindingProvider.java (version c4ed939661fe08a0034a37ce02a07150f51e9e56)
    • xmppserver/src/test/java/org/jivesoftware/util/channelbinding/TlsServerEndPointChannelBindingProviderTest.java (version c4ed939661fe08a0034a37ce02a07150f51e9e56)
  • Guus der Kinderen

    Guus der Kinderen 219acd9b818412fd68a3920ad2d1c8ec37283b9d

    OF-2694: Add TLS channel binding primitive support
    Expose per-connection channel binding data retrieval for SASL.

    • xmppserver/src/main/java/org/jivesoftware/openfire/Connection.java (version 219acd9b818412fd68a3920ad2d1c8ec37283b9d)
    • xmppserver/src/main/java/org/jivesoftware/openfire/nio/NettyConnection.java (version 219acd9b818412fd68a3920ad2d1c8ec37283b9d)
  • Guus der Kinderen

    Guus der Kinderen a77b374fcc84076e8794dfe08b7dfe3a114342a1

    OF-2694 (code review feedback): Only advertise SASL -PLUS mechanisms when channel binding is supported
    Refactored SASL mechanism advertisement logic to ensure that -PLUS mechanisms (e.g., SCRAM-SHA-1-PLUS) are only offered when the current connection supports channel binding. The check now relies on Connection#getSupportedChannelBindingTypes(), which must return a non-empty set for -PLUS mechanisms to be advertised.

    Updated all relevant connection implementations (only NettyConnection, and the default method in the Connection interface) to ensure correct reporting of supported channel binding types.

    This change prevents authentication failures caused by advertising -PLUS mechanisms on connections that cannot provide channel binding data (e.g., WebSocket connections).

    • xmppserver/src/main/java/org/jivesoftware/openfire/Connection.java (version a77b374fcc84076e8794dfe08b7dfe3a114342a1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version a77b374fcc84076e8794dfe08b7dfe3a114342a1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/nio/NettyConnection.java (version a77b374fcc84076e8794dfe08b7dfe3a114342a1)
  • Guus der Kinderen

    Guus der Kinderen f39641d3f8b22024dd3320e6a56a80f0ab04a654

    OF-2694: Make available `tls-server-end-point` channel binding by default
    This registers the corresponding provider without any ceremony. Future modifications could introduce configurability, but as support for this channel binding is mandatory per XEP, hard-coding seems acceptable.

    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManager.java (version f39641d3f8b22024dd3320e6a56a80f0ab04a654)
  • Guus der Kinderen

    Guus der Kinderen 45b0221b64f9b2ba21e2953bb503118656b95fb3

    OF-2694 (code review feedback): (more) correctly encode SCRAM-SHA-1 test vector
    Instead of concatenating two base64 strings, concat the byte-parts of the channel-binding data, and base64 encode the result. This better conforms to https://datatracker.ietf.org/doc/html/rfc5802#section-7

    • xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerTest.java (version 45b0221b64f9b2ba21e2953bb503118656b95fb3)
  • Guus der Kinderen

    Guus der Kinderen a14b295fea4a1ce5e19a92b04aea8d089ea21908

    OF-2694 (code review feedback): Various text fixes
    This addresses various typos and spelling issues. None of these are functionally changing anything.

    • i18n/src/main/resources/openfire_i18n_nl.properties (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/openfire/group/AbstractGroupProvider.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/util/CertificateManager.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/util/cache/DefaultLocalCacheStrategy.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
  • Guus der Kinderen

    Guus der Kinderen f0c162c4ee78e0bc3aa0f41b44e4f81902ab84bb

    OF-2694 (code review feedback): Make removal of ChannelBindingProvider thread safe
    This mimics the concurrency control of the implementation that adds these providers.

    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManager.java (version f0c162c4ee78e0bc3aa0f41b44e4f81902ab84bb)
  • Guus der Kinderen

    Guus der Kinderen ddec6a6f7fb4756dd60e9890e4456d7c1afff230

    OF-2694 (code review feedback): Additional hardening + unit test coverage
    This adds more validation of the exchanged data in the SASL handshake, and adds more unit test coverage.

    Small refactorings have been applied to make ScramSha1SaslServer easier to unit-test. It now no longer unconditionally uses static calls to other classes. Such classes can be provided via a `@VisibleForTesting` constructor.

    • xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version ddec6a6f7fb4756dd60e9890e4456d7c1afff230)
    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManager.java (version ddec6a6f7fb4756dd60e9890e4456d7c1afff230)
    • xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerFakeKeyTest.java (version ddec6a6f7fb4756dd60e9890e4456d7c1afff230)
    • xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerSaltTest.java (version ddec6a6f7fb4756dd60e9890e4456d7c1afff230)
    • xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerTest.java (version ddec6a6f7fb4756dd60e9890e4456d7c1afff230)
  • Guus der Kinderen

    Guus der Kinderen a8cf669c8462393c42ae11dc6fbfa1ac65f2dfe0

    OF-2694: Add Maestro test to CI for Channel Binding
    This new test launches Conversations against a standard Openfire server (the 'demoboot' configuration) and attempts to authenticate.

    It is asserted that:
    - the authentication attempt was successful
    - a SASL mechanism ending with `-PLUS` was used

    When this test passes, it's verified that Conversations successfully used channel binding.

    • .github/workflows/continuous-integration-workflow.yml (version a8cf669c8462393c42ae11dc6fbfa1ac65f2dfe0)
    • build/ci/conversations/flows/cb.yaml (version a8cf669c8462393c42ae11dc6fbfa1ac65f2dfe0)