Merge pull request #144 from sco0ter/of861

Disable SSLv3 for socket connections to avoid POODLE vulnerability.

src/java/org/jivesoftware/openfire/nio/ConnectionHandler.java

@@ -38,6 +38,8 @@ import org.xmlpull.v1.XmlPullParserException;
 import org.xmlpull.v1.XmlPullParserFactory;
 import org.xmpp.packet.StreamError;
 
+import javax.net.ssl.SSLHandshakeException;
+
 /**
  * A ConnectionHandler is responsible for creating new sessions, destroying sessions and delivering
  * received XML stanzas to the proper StanzaHandler.
@@ -146,6 +148,9 @@ public abstract class ConnectionHandler extends IoHandlerAdapter {
         if (cause instanceof IOException) {
             // TODO Verify if there were packets pending to be sent and decide what to do with them
             Log.info("ConnectionHandler reports IOException for session: " + session, cause);
+            if (cause instanceof SSLHandshakeException) {
+                session.close(true);
+            }
         }
         else if (cause instanceof ProtocolDecoderException) {
             Log.warn("Closing session due to exception: " + session, cause);

src/java/org/jivesoftware/openfire/nio/NIOConnection.java

@@ -367,6 +367,8 @@ public class NIOConnection implements Connection {
 
         SslFilter filter = new SslFilter(tlsContext);
         filter.setUseClientMode(clientMode);
+        // Disable SSLv3 due to POODLE vulnerability.
+        filter.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
         if (authentication == ClientAuth.needed) {
             filter.setNeedClientAuth(true);
         }