Merge pull request #416 from igniterealtime/refactor-connectionmanagement

Refactor connectionmanagement

build/build.xml

@@ -142,9 +142,6 @@
     <taskdef name="propertymerge" classname="org.jugbb.ant.propertymerge.PropertyMergeTask">
         <classpath refid="ant.dependencies" />
     </taskdef>
-    <typedef name="srcinc" classname="com.jivesoftware.tools.selector.IncludeSourceSelector" >
-        <classpath refid="ant.dependencies" />
-    </typedef>
 
     <!-- ======================================================================================= -->
     <!-- PATHs / PATTERNSETs / FILTERSETs                                                        -->
@@ -914,7 +911,6 @@
         <copy todir="${release.src.out.dir}/src">
             <fileset dir="${src.dir}">
                 <include name="**/*.java" />
-                <srcinc />
             </fileset>
             <filterset>
                 <filter token="DATE" value="${builddate}"/>
@@ -1320,11 +1316,7 @@
 
                 <!-- copy the source we want to compile -->
                 <copy todir="@{pluginlib}/source">
-                    <fileset dir="@{pluginsrc}/@{plugin}/src/java" includes="**/*.java" >
-                        <not>
-                            <srcinc />
-                        </not>
-                    </fileset>
+                    <fileset dir="@{pluginsrc}/@{plugin}/src/java" includes="**/*.java" />
                     <filterset>
                         <filter token="DATE" value="${buildJavaDate}"/>
                     </filterset>
@@ -1357,7 +1349,6 @@
                     </fileset>
                 </jar>
 
-                <!-- Clean-up our source files for the "srcinc" files -->
                 <delete dir="@{pluginlib}/classes" />
                 <delete dir="@{pluginlib}/source" />
 

build/lib/dist/log4j.xml

@@ -56,6 +56,15 @@
 		</filter>
 	</appender>
 
+	<appender name="all-out" class="org.apache.log4j.RollingFileAppender">
+		<param name="File" value="${openfireHome}/logs/all.log" />
+		<param name="MaxFileSize" value="1024KB"/>
+		<param name="MaxBackupIndex" value="5"/>
+		<layout class="org.apache.log4j.PatternLayout">
+			<param name="ConversionPattern" value="%d{yyyy.MM.dd HH:mm:ss} %-5p [%t]: %c - %m%n" />
+		</layout>
+	</appender>
+
 	<!-- OF-506: Jetty INFO messages are generally not useful. Ignore them by default. -->
 	<logger name="org.eclipse.jetty">
 		<level value="warn" />
@@ -63,6 +72,7 @@
 	
    	<root>
 		<level value="info" />
+		<appender-ref ref="all-out" />
 		<appender-ref ref="debug-out" />
 		<appender-ref ref="info-out" />
 		<appender-ref ref="warn-out" />

build/lib/versions.txt

@@ -3,9 +3,9 @@ Name                                |  Version
 ant.jar                             | Jetty 6.1.0 (1.6.5)                                          | Apache 2.0
 ant-contrib.jar                     | 1.0b1                                                        | Apache 2.0
 ant-subdirtask.jar                  | Revision 1.4 (CVS)                                           |
-bcpg-jdk15on.jar                    | 1.51                                                         | See http://www.bouncycastle.org/licence.html
-bcpkix-jdk15on.jar                  | 1.51                                                         | See http://www.bouncycastle.org/licence.html
-bcprov-jdk15on.jar                  | 1.51                                                         | See http://www.bouncycastle.org/licence.html
+bcpg-jdk15on.jar                    | 1.53                                                         | See http://www.bouncycastle.org/licence.html
+bcpkix-jdk15on.jar                  | 1.53                                                         | See http://www.bouncycastle.org/licence.html
+bcprov-jdk15on.jar                  | 1.53                                                         | See http://www.bouncycastle.org/licence.html
 cglib.jar                           | 2.1.3 (JMock 2.1.0)                                          |
 commons-lang.jar                    | 2.3                                                          | Apache 2.0
 commons-logging.jar                 | Jetty 5.1.10                                                 | Apache 2.0

src/bin/openfire.sh

@@ -114,6 +114,19 @@ if [ ! -x "$JAVACMD" ] ; then
   	exit 1
 fi
 
+for arguments in "$@"
+do
+case $arguments in
+    -debug)
+    JAVACMD="$JAVACMD -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005"
+    ;;
+    *)
+	# unknown option
+    ;;
+esac
+done
+
+
 if [ -z "$LOCALCLASSPATH" ] ; then
 	LOCALCLASSPATH=$OPENFIRE_LIB/startup.jar
 else

src/conf/modules.xml

@@ -28,7 +28,8 @@
   <module interface="org.jivesoftware.openfire.OfflineMessageStrategy" implementation="org.jivesoftware.openfire.OfflineMessageStrategy" />
   <module interface="org.jivesoftware.openfire.OfflineMessageStore" implementation="org.jivesoftware.openfire.OfflineMessageStore" />
   <module interface="org.jivesoftware.openfire.vcard.VCardManager" implementation="org.jivesoftware.openfire.vcard.VCardManager" />
-  
+  <module interface="org.jivesoftware.openfire.keystore.CertificateStoreManager" implementation="org.jivesoftware.openfire.keystore.CertificateStoreManager" />
+
   <!--  Standard Modules -->  
   <module interface="org.jivesoftware.openfire.handler.IQBindHandler" implementation="org.jivesoftware.openfire.handler.IQBindHandler" />
   <module interface="org.jivesoftware.openfire.handler.IQSessionEstablishmentHandler" implementation="org.jivesoftware.openfire.handler.IQSessionEstablishmentHandler" />

src/i18n/openfire_i18n_cs_CZ.properties

@@ -2242,18 +2242,19 @@ ports.port=Port
 ports.type=Typ
 ports.description=Popis
 ports.all_ports=V\u0161echny adresy
+ports.plaintext.desc=On this port plain-text connections are established, which, depending on configurable {0}security settings{1}, can (or must) be upgraded to encrypted connections.
+ports.legacymode.desc=Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the {0}security settings{1}.
 ports.client_to_server=Klient-server
-ports.client_to_server.desc=Standardn\u00ed port pro p\u0159ipojen\u00ed klient\u016f k serveru. Spojen\u00ed mohou, ale nemus\u00ed b\u00fdt \
-  \u0161ifrov\u00e1na. M\u016f\u017eete zm\u011bnit {0}nastaven\u00ed zabezpe\u010den\u00ed{1} pro tento port.
-ports.client_to_server.desc_old_ssl=Port pou\u017e\u00edvan\u00fd klienty pro p\u0159ipojen\u00ed k serveru pou\u017eit\u00edm star\u00e9ho SSL zp\u016fsobu. \
-  Star\u00fd zp\u016fsob SSL nen\u00ed standardn\u00edm XMPP zp\u016fsobem a bude v budoucnu zru\u0161en.  M\u016f\u017eete zm\u011bnit \
-  {0}nastaven\u00ed zabezpe\u010den\u00ed{1} pro tento port.
+ports.client_to_server.desc=Standardn\u00ed port pro p\u0159ipojen\u00ed klient\u016f k serveru.
+ports.client_to_server.desc_old_ssl=Port pou\u017e\u00edvan\u00fd klienty pro p\u0159ipojen\u00ed k serveru pou\u017eit\u00edm star\u00e9ho SSL zp\u016fsobu.
 ports.server_to_server=Server-server
-ports.server_to_server.desc=Port pou\u017e\u00edvan\u00fd {0}vzd\u00e1len\u00fdmi servery{1} pro p\u0159ipojen\u00ed k tomuto serveru.
+ports.server_to_server.desc=Port pou\u017e\u00edvan\u00fd vzd\u00e1len\u00fdmi servery pro p\u0159ipojen\u00ed k tomuto serveru.
 ports.connection_manager=Spr\u00e1vce p\u0159ipojen\u00ed
-ports.connection_manager.desc=Port pou\u017e\u00edvan\u00fd {0}spr\u00e1vci p\u0159ipojen\u00ed{1} pro p\u0159ipojen\u00ed k serveru.
+ports.connection_manager.desc=Port pou\u017e\u00edvan\u00fd spr\u00e1vci p\u0159ipojen\u00ed pro p\u0159ipojen\u00ed k serveru.
+ports.connection_manager.desc_old_ssl=The port used for connection managers to the server using the old SSL/TLS method.
 ports.external_components=Extern\u00ed komponenty
-ports.external_components.desc=Port pou\u017e\u00edvan\u00fd  {0}extern\u00edmi komponentami{1} pro p\u0159ipojen\u00ed k serveru.
+ports.external_components.desc=Port pou\u017e\u00edvan\u00fd extern\u00edmi komponentami pro p\u0159ipojen\u00ed k serveru.
+ports.external_components.desc_old_ssl=The port used for external components to the server using the old SSL/TLS method.
 ports.admin_console=Administr\u00e1torsk\u00e1 konzole
 ports.admin_console.desc_unsecured=Port pou\u017e\u00edvan\u00fd pro nezabezpe\u010den\u00fd p\u0159\u00edstup k administr\u00e1torsk\u00e9 konzoli.
 ports.admin_console.desc_secured=Port pou\u017e\u00edvan\u00fd pro zabezpe\u010den\u00fd p\u0159\u00edstup k administr\u00e1torsk\u00e9 konzoli.
@@ -2323,16 +2324,18 @@ ssl.import.certificate.keystore.private-key=Content of Private Key file:
 ssl.import.certificate.keystore.certificate=Content of Certificate file:
 ssl.import.certificate.keystore.error.private-key=Please specify the content of the private key.
 ssl.import.certificate.keystore.error.certificate=Please specify the content of the certificate to import.
-ssl.import.certificate.keystore.error.import=There was an error one importing private key and signed certificate.
+ssl.import.certificate.keystore.error.import=There was an error while trying to import the private key and signed certificate.
 
 # Import truststore certificate page
 
-ssl.import.certificate.keystore.error.type=Type has not been specified (or is unrecognized).
-ssl.import.certificate.keystore.error.alias-missing=Please provide an alias for this certificate.
-ssl.import.certificate.keystore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
-ssl.import.certificate.keystore.c2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during client-to-server communication.
-ssl.import.certificate.keystore.s2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during server-to-server communication.
-
+ssl.import.certificate.truststore.boxtitle=Import CA Certificate
+ssl.import.certificate.truststore.error.connection-type=Connection Type has not been specified (or is unrecognized).
+ssl.import.certificate.truststore.error.alias-missing=Please provide an alias for this certificate.
+ssl.import.certificate.truststore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
+ssl.import.certificate.truststore.error.certificate=Please specify the content of the certificate to import.
+ssl.import.certificate.truststore.error.import=There was an error while trying to import the certificate.
+ssl.import.certificate.truststore.intro=Use the form below to import a certificate that represents a trusted party that can be used when verifying peer certificates while establishing encrypted communication.
+ssl.import.certificate.truststore.intro=Use the form below to import a certificate that represents a trusted party that can be used when verifying peer certificates while establishing encrypted communication.
 
 # Room Occupants Page
 

src/i18n/openfire_i18n_de.properties

@@ -2130,18 +2130,19 @@ ports.port=Port
 ports.type=Type
 ports.description=Description
 ports.all_ports=All addresses
+ports.plaintext.desc=On this port plain-text connections are established, which, depending on configurable {0}security settings{1}, can (or must) be upgraded to encrypted connections.
+ports.legacymode.desc=Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the {0}security settings{1}.
 ports.client_to_server=Client to server
-ports.client_to_server.desc=The standard port for clients to connect to the server. Connections may or may not be \
-  encrypted. You can update the {0}security settings{1} for this port.
-ports.client_to_server.desc_old_ssl=The port used for clients to connect to the server using the old SSL method. \
-  The old SSL method is not an XMPP standard method and will be deprecated in the future.  You can update the \
-  {0}security  settings{1} for this port.
+ports.client_to_server.desc=The standard port for clients to connect to the server.
+ports.client_to_server.desc_old_ssl=The port used for clients to connect to the server using the old SSL/TLS method.
 ports.server_to_server=Server to Server
-ports.server_to_server.desc=The port used for {0}remote servers{1} to connect to this server.
+ports.server_to_server.desc=The port used for remote servers to connect to this server.
 ports.connection_manager=Connection Manager
-ports.connection_manager.desc=The port used for {0}connection managers{1} to connect to the server.
+ports.connection_manager.desc=The port used for connection managers to connect to the server.
+ports.connection_manager.desc_old_ssl=The port used for connection managers to the server using the old SSL/TLS method.
 ports.external_components=External Components
-ports.external_components.desc=The port used for {0}external components{1} to connect to the server.
+ports.external_components.desc=The port used for external components to connect to the server.
+ports.external_components.desc_old_ssl=The port used for external components to the server using the old SSL/TLS method.
 ports.admin_console=Admin Console
 ports.admin_console.desc_unsecured=The port used for unsecured Admin Console access.
 ports.admin_console.desc_secured=The port used for secured Admin Console access.
@@ -2287,15 +2288,17 @@ ssl.import.certificate.keystore.private-key=Content of Private Key file:
 ssl.import.certificate.keystore.certificate=Content of Certificate file:
 ssl.import.certificate.keystore.error.private-key=Please specify the content of the private key.
 ssl.import.certificate.keystore.error.certificate=Please specify the content of the certificate to import.
-ssl.import.certificate.keystore.error.import=There was an error one importing private key and signed certificate.
+ssl.import.certificate.keystore.error.import=There was an error while trying to import the private key and signed certificate.
 
 # Import truststore certificate page
 
-ssl.import.certificate.keystore.error.type=Type has not been specified (or is unrecognized).
-ssl.import.certificate.keystore.error.alias-missing=Please provide an alias for this certificate.
-ssl.import.certificate.keystore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
-ssl.import.certificate.keystore.c2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during client-to-server communication.
-ssl.import.certificate.keystore.s2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during server-to-server communication.
+ssl.import.certificate.truststore.boxtitle=Import CA Certificate
+ssl.import.certificate.truststore.error.connection-type=Connection Type has not been specified (or is unrecognized).
+ssl.import.certificate.truststore.error.alias-missing=Please provide an alias for this certificate.
+ssl.import.certificate.truststore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
+ssl.import.certificate.truststore.error.certificate=Please specify the content of the certificate to import.
+ssl.import.certificate.truststore.error.import=There was an error while trying to import the certificate.
+ssl.import.certificate.truststore.intro=Use the form below to import a certificate that represents a trusted party that can be used when verifying peer certificates while establishing encrypted communication.
 
 # Room Occupants Page
 

src/i18n/openfire_i18n_es.properties

@@ -2219,18 +2219,19 @@ ports.port=Puerto
 ports.type=Tipo
 ports.description=Descripci\u00f3n
 ports.all_ports=Todas direcciones
+ports.plaintext.desc=On this port plain-text connections are established, which, depending on configurable {0}security settings{1}, can (or must) be upgraded to encrypted connections.
+ports.legacymode.desc=Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the {0}security settings{1}.
 ports.client_to_server=Cliente-Servidor
-ports.client_to_server.desc=El puerto estandar utilizado por clientes para conectarse al servidor. Conexiones pueden \
-  o no estar encriptadas. Puede modificar la {0}configuraci\u00f3n{1} para este puerto.
-ports.client_to_server.desc_old_ssl=El puerto utilizado por clientes para conectarse al servidor usando el viejo \
-  m\u00e9todo de SSL. El m\u00e9todo de SSL no es un m\u00e9todo estandar y ser\u00e1 removido en el futuro.  Puede \
-  modificar la {0}configuraci\u00f3n{1} para este puerto
+ports.client_to_server.desc=El puerto estandar utilizado por clientes para conectarse al servidor.
+ports.client_to_server.desc_old_ssl=El puerto utilizado por clientes para conectarse al servidor usando el viejo m\u00e9todo de SSL.
 ports.server_to_server=Servidor-Servidor
-ports.server_to_server.desc=Puerto utilizado por {0}servidores remotos{1} para conectarse al servidor.
+ports.server_to_server.desc=Puerto utilizado por servidores remotos para conectarse al servidor.
 ports.connection_manager=Administrador de Conexiones
-ports.connection_manager.desc=Puerto utilizado por {0}administradores de conexiones{1} para conectarse al servidor.
+ports.connection_manager.desc=Puerto utilizado por administradores de conexiones para conectarse al servidor.
+ports.connection_manager.desc_old_ssl=The port used for connection managers to the server using the old SSL/TLS method.
 ports.external_components=Componentes externos
-ports.external_components.desc=Puerto utilizado por {0}componentes externos{1} para conectarse al servidor.
+ports.external_components.desc=Puerto utilizado por componentes externos para conectarse al servidor.
+ports.external_components.desc_old_ssl=The port used for external components to the server using the old SSL/TLS method.
 ports.admin_console=Consola de Administraci\u00f3n
 ports.admin_console.desc_unsecured=Puerto utilizado para conexiones inseguras a la consola de administraci\u00f3n.
 ports.admin_console.desc_secured=Puerto utilizado para conexiones seguras a la consola de administraci\u00f3n.
@@ -2334,14 +2335,15 @@ ssl.import.certificate.keystore.error.import=Un error ha ocurrido al intentar im
 
 # Import truststore certificate page
 
-ssl.import.certificate.keystore.error.type=El tipo no se ha especificado (o no se reconoce)
-ssl.import.certificate.keystore.error.alias-missing=Por favor indique un alias para este certificado.
-ssl.import.certificate.keystore.error.alias-exists=Ya existe un certificado con este alias. Por favor indique un alias \
+ssl.import.certificate.truststore.boxtitle=Import CA Certificate
+ssl.import.certificate.truststore.error.connection-type=El tipo no se ha especificado (o no se reconoce)
+ssl.import.certificate.truststore.error.alias-missing=Por favor indique un alias para este certificado.
+ssl.import.certificate.truststore.error.alias-exists=Ya existe un certificado con este alias. Por favor indique un alias \
   diferente, o elimine el certificado existente.
-ssl.import.certificate.keystore.c2s-intro=Use el siguiente formulario para importar un certificado de confianza para ser usado \
-  al verificar certificados durante la comunicaci\u00f3n de cliente a servidor.
-ssl.import.certificate.keystore.s2s-intro=Use el siguiente formulario para importar un certificado de confianza para ser usado \
-  al verificar certificados durante la comunicaci\u00f3n de servidor a servidor.
+ssl.import.certificate.truststore.error.certificate=Especifique el contenido del certificado a importar.
+ssl.import.certificate.truststore.error.import=Un error ha ocurrido al intentar importar un certificado firmado.
+ssl.import.certificate.keystore.intro=Use el siguiente formulario para importar un certificado de confianza para ser usado \
+  al verificar certificados durante la comunicaci\u00f3n.
 
 sidebar.user-roster=Lista de Contactos
 sidebar.user-roster.descr=Haga clic para ver la lista de contactos de usuarios

src/i18n/openfire_i18n_fr.properties

@@ -1797,18 +1797,19 @@ ports.port=Port
 ports.type=Type
 ports.description=Description
 ports.all_ports=All addresses
+ports.plaintext.desc=On this port plain-text connections are established, which, depending on configurable {0}security settings{1}, can (or must) be upgraded to encrypted connections.
+ports.legacymode.desc=Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the {0}security settings{1}.
 ports.client_to_server=Client to server
-ports.client_to_server.desc=The standard port for clients to connect to the server. Connections may or may not be \
-  encrypted. You can update the {0}security settings{1} for this port.
-ports.client_to_server.desc_old_ssl=The port used for clients to connect to the server using the old SSL method. \
-  The old SSL method is not an XMPP standard method and will be deprecated in the future.  You can update the \
-  {0}security  settings{1} for this port.
+ports.client_to_server.desc=The standard port for clients to connect to the server.
+ports.client_to_server.desc_old_ssl=The port used for clients to connect to the server using the old SSL/TLS method.
 ports.server_to_server=Server to Server
-ports.server_to_server.desc=The port used for {0}remote servers{1} to connect to this server.
+ports.server_to_server.desc=The port used for remote servers to connect to this server.
 ports.connection_manager=Connection Manager
-ports.connection_manager.desc=The port used for {0}connection managers{1} to connect to the server.
+ports.connection_manager.desc=The port used for connection managers to connect to the server.
+ports.connection_manager.desc_old_ssl=The port used for connection managers to the server using the old SSL/TLS method.
 ports.external_components=External Components
-ports.external_components.desc=The port used for {0}external components{1} to connect to the server.
+ports.external_components.desc=The port used for external components to connect to the server.
+ports.external_components.desc_old_ssl=The port used for external components to the server using the old SSL/TLS method.
 ports.admin_console=Admin Console
 ports.admin_console.desc_unsecured=The port used for unsecured Admin Console access.
 ports.admin_console.desc_secured=The port used for secured Admin Console access.
@@ -1899,15 +1900,17 @@ ssl.import.certificate.keystore.private-key=Content of Private Key file:
 ssl.import.certificate.keystore.certificate=Content of Certificate file:
 ssl.import.certificate.keystore.error.private-key=Please specify the content of the private key.
 ssl.import.certificate.keystore.error.certificate=Please specify the content of the certificate to import.
-ssl.import.certificate.keystore.error.import=There was an error one importing private key and signed certificate.
+ssl.import.certificate.keystore.error.import=There was an error while trying to import the private key and signed certificate.
 
 # Import truststore certificate page
 
-ssl.import.certificate.keystore.error.type=Type has not been specified (or is unrecognized).
-ssl.import.certificate.keystore.error.alias-missing=Please provide an alias for this certificate.
-ssl.import.certificate.keystore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
-ssl.import.certificate.keystore.c2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during client-to-server communication.
-ssl.import.certificate.keystore.s2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during server-to-server communication.
+ssl.import.certificate.truststore.boxtitle=Import CA Certificate
+ssl.import.certificate.truststore.error.connection-type=Connection Type has not been specified (or is unrecognized).
+ssl.import.certificate.truststore.error.alias-missing=Please provide an alias for this certificate.
+ssl.import.certificate.truststore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
+ssl.import.certificate.truststore.error.certificate=Please specify the content of the certificate to import.
+ssl.import.certificate.truststore.error.import=There was an error while trying to import the certificate.
+ssl.import.certificate.truststore.intro=Use the form below to import a certificate that represents a trusted party that can be used when verifying peer certificates while establishing encrypted communication.
 
 # Room Occupants Page
 

src/i18n/openfire_i18n_ja_JP.properties

@@ -2224,18 +2224,19 @@ ports.port=\u30dd\u30fc\u30c8
 ports.type=\u30bf\u30a4\u30d7
 ports.description=\u8a73\u7d30
 ports.all_ports=\u5168\u90e8\u306e\u30a2\u30c9\u30ec\u30b9
+ports.plaintext.desc=On this port plain-text connections are established, which, depending on configurable {0}security settings{1}, can (or must) be upgraded to encrypted connections.
+ports.legacymode.desc=Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the {0}security settings{1}.
 ports.client_to_server=\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304b\u3089\u30b5\u30fc\u30d0\u30fc
-ports.client_to_server.desc=\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304c\u30b5\u30fc\u30d0\u3078\u63a5\u7d9a\u3059\u308b\u305f\u3081\u306e\u6a19\u6e96\u30dd\u30fc\u30c8\u3067\u3059\u3002\u63a5\u7d9a\u306f\u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u308b\u304b\u3082\u3057\u308c\u307e\u305b\u3093\u3057\u3001\
-   \u3055\u308c\u3066\u3044\u306a\u3044\u304b\u3082\u3057\u308c\u307e\u305b\u3093\u3002\u3053\u306e\u30dd\u30fc\u30c8\u306b\u5bfe\u3059\u308b{0}\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8a2d\u5b9a{1}\u3092\u66f4\u65b0\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002
-ports.client_to_server.desc_old_ssl=\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b\u5bfe\u3057\u3066\u53e4\u3044SSL\u63a5\u7d9a\u65b9\u6cd5\u3092\u4f7f\u7528\u3057\u3066\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u308b\u30dd\u30fc\u30c8\u3067\u3059\u3002\
-  \u65e7\u5f0f\u306eSSL\u63a5\u7d9a\u65b9\u6cd5\u306fXMPP\u6a19\u6e96\u306e\u65b9\u6cd5\u3067\u306f\u306a\u304f\u3001\u307e\u305f\u5c06\u6765\u7684\u306b\u306f\u4f7f\u7528\u3092\u975e\u63a8\u5968\u3055\u308c\u308b\u3067\u3057\u3087\u3046\u3002\
-  \u3053\u306e\u30dd\u30fc\u30c8\u306b\u5bfe\u3059\u308b{0}\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8a2d\u5b9a{1}\u3092\u66f4\u65b0\u3057\u3066\u304f\u3060\u3055\u3044\u3002
+ports.client_to_server.desc=The standard port for clients to connect to the server.
+ports.client_to_server.desc_old_ssl=The port used for clients to connect to the server using the old SSL/TLS method.
 ports.server_to_server=\u30b5\u30fc\u30d0\u30fc\u9593\u63a5\u7d9a
-ports.server_to_server.desc=\u3053\u306e\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3059\u308b{0}\u30ea\u30e2\u30fc\u30c8\u30b5\u30fc\u30d0\u30fc{1}\u306b\u4f7f\u7528\u3055\u308c\u308b\u30dd\u30fc\u30c8\u3067\u3059\u3002
+ports.server_to_server.desc=\u3053\u306e\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3059\u308b\u30ea\u30e2\u30fc\u30c8\u30b5\u30fc\u30d0\u30fc\u306b\u4f7f\u7528\u3055\u308c\u308b\u30dd\u30fc\u30c8\u3067\u3059\u3002
 ports.connection_manager=\u63a5\u7d9a\u30de\u30cd\u30fc\u30b8\u30e3
-ports.connection_manager.desc=\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3059\u308b\u305f\u3081\u306e{0}\u63a5\u7d9a\u30de\u30cd\u30fc\u30b8\u30e3{1}\u304c\u4f7f\u7528\u3059\u308b\u30dd\u30fc\u30c8\u3067\u3059\u3002
+ports.connection_manager.desc=\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3059\u308b\u305f\u3081\u306e\u63a5\u7d9a\u30de\u30cd\u30fc\u30b8\u30e3\u304c\u4f7f\u7528\u3059\u308b\u30dd\u30fc\u30c8\u3067\u3059\u3002
+ports.connection_manager.desc_old_ssl=The port used for connection managers to the server using the old SSL/TLS method.
 ports.external_components=\u5916\u90e8\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8
-ports.external_components.desc=\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3059\u308b\u305f\u3081\u306b{0}\u5916\u90e8\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8{1}\u304c\u4f7f\u7528\u3059\u308b\u30dd\u30fc\u30c8\u3067\u3059\u3002
+ports.external_components.desc=\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3059\u308b\u305f\u3081\u306b\u5916\u90e8\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u304c\u4f7f\u7528\u3059\u308b\u30dd\u30fc\u30c8\u3067\u3059\u3002
+ports.external_components.desc_old_ssl=The port used for external components to the server using the old SSL/TLS method.
 ports.admin_console=\u7ba1\u7406\u30b3\u30f3\u30bd\u30fc\u30eb
 ports.admin_console.desc_unsecured=\u30bb\u30ad\u30e5\u30a2\u30fc\u3067\u306a\u3044\u7ba1\u7406\u30b3\u30f3\u30bd\u30fc\u30eb\u30a2\u30af\u30bb\u30b9\u306e\u305f\u3081\u306b\u4f7f\u7528\u3059\u308b\u30dd\u30fc\u30c8\u3067\u3059\u3002
 ports.admin_console.desc_secured=\u30bb\u30ad\u30e5\u30a2\u30fc\u306a\u7ba1\u7406\u30b3\u30f3\u30bd\u30fc\u30eb\u30a2\u30af\u30bb\u30b9\u306e\u305f\u3081\u306b\u4f7f\u7528\u3059\u308b\u30dd\u30fc\u30c8\u3067\u3059\u3002
@@ -2302,11 +2303,13 @@ ssl.import.certificate.keystore.error.import=\u79d8\u5bc6\u30ad\u30fc\u3068\u7f7
 
 # Import truststore certificate page
 
-ssl.import.certificate.keystore.error.type=Type has not been specified (or is unrecognized).
-ssl.import.certificate.keystore.error.alias-missing=Please provide an alias for this certificate.
-ssl.import.certificate.keystore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
-ssl.import.certificate.keystore.c2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during client-to-server communication.
-ssl.import.certificate.keystore.s2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during server-to-server communication.
+ssl.import.certificate.truststore.boxtitle=Import CA Certificate
+ssl.import.certificate.truststore.error.connection-type=Connection Type has not been specified (or is unrecognized).
+ssl.import.certificate.truststore.error.alias-missing=Please provide an alias for this certificate.
+ssl.import.certificate.truststore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
+ssl.import.certificate.truststore.error.certificate=Please specify the content of the certificate to import.
+ssl.import.certificate.truststore.error.import=There was an error while trying to import the certificate.
+ssl.import.certificate.truststore.intro=Use the form below to import a certificate that represents a trusted party that can be used when verifying peer certificates while establishing encrypted communication.
 
 # Room Occupants Page
 

src/i18n/openfire_i18n_nl.properties

@@ -2126,22 +2126,23 @@ profile-settings.ldap_mapping_info=LDAP Settings
 # Ports section/page
 
 ports.interface=Interface
-ports.port=Port
+ports.port=Poort
 ports.type=Type
-ports.description=Description
-ports.all_ports=All addresses
+ports.description=Omschrijving
+ports.all_ports=Alle addressen
+ports.plaintext.desc=On this port plain-text connections are established, which, depending on configurable {0}security settings{1}, can (or must) be upgraded to encrypted connections.
+ports.legacymode.desc=Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the {0}security settings{1}.
 ports.client_to_server=Client to server
-ports.client_to_server.desc=The standard port for clients to connect to the server. Connections may or may not be \
-  encrypted. You can update the {0}security settings{1} for this port.
-ports.client_to_server.desc_old_ssl=The port used for clients to connect to the server using the old SSL method. \
-  The old SSL method is not an XMPP standard method and will be deprecated in the future.  You can update the \
-  {0}security  settings{1} for this port.
+ports.client_to_server.desc=The standard port for clients to connect to the server.
+ports.client_to_server.desc_old_ssl=The port used for clients to connect to the server using the old SSL/TLS method.
 ports.server_to_server=Server to Server
-ports.server_to_server.desc=The port used for {0}remote servers{1} to connect to this server.
+ports.server_to_server.desc=The port used for remote servers to connect to this server.
 ports.connection_manager=Connection Manager
-ports.connection_manager.desc=The port used for {0}connection managers{1} to connect to the server.
+ports.connection_manager.desc=The port used for connection managers to connect to the server.
+ports.connection_manager.desc_old_ssl=The port used for connection managers to the server using the old SSL/TLS method.
 ports.external_components=External Components
-ports.external_components.desc=The port used for {0}external components{1} to connect to the server.
+ports.external_components.desc=The port used for external components to connect to the server.
+ports.external_components.desc_old_ssl=The port used for external components to the server using the old SSL/TLS method.
 ports.admin_console=Admin Console
 ports.admin_console.desc_unsecured=The port used for unsecured Admin Console access.
 ports.admin_console.desc_secured=The port used for secured Admin Console access.
@@ -2283,15 +2284,17 @@ ssl.import.certificate.keystore.private-key=Content of Private Key file:
 ssl.import.certificate.keystore.certificate=Content of Certificate file:
 ssl.import.certificate.keystore.error.private-key=Please specify the content of the private key.
 ssl.import.certificate.keystore.error.certificate=Please specify the content of the certificate to import.
-ssl.import.certificate.keystore.error.import=There was an error one importing private key and signed certificate.
+ssl.import.certificate.keystore.error.import=There was an error while trying to import the private key and signed certificate.
 
 # Import truststore certificate page
 
-ssl.import.certificate.keystore.error.type=Type has not been specified (or is unrecognized).
-ssl.import.certificate.keystore.error.alias-missing=Please provide an alias for this certificate.
-ssl.import.certificate.keystore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
-ssl.import.certificate.keystore.c2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during client-to-server communication.
-ssl.import.certificate.keystore.s2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during server-to-server communication.
+ssl.import.certificate.truststore.boxtitle=Import CA Certificate
+ssl.import.certificate.truststore.error.connection-type=Connection Type has not been specified (or is unrecognized).
+ssl.import.certificate.truststore.error.alias-missing=Please provide an alias for this certificate.
+ssl.import.certificate.truststore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
+ssl.import.certificate.truststore.error.certificate=Please specify the content of the certificate to import.
+ssl.import.certificate.truststore.error.import=There was an error while trying to import the certificate.
+ssl.import.certificate.truststore.intro=Use the form below to import a certificate that represents a trusted party that can be used when verifying peer certificates while establishing encrypted communication.
 
 
 # Room Occupants Page

src/i18n/openfire_i18n_pl_PL.properties

@@ -2111,18 +2111,19 @@ ports.port=Port
 ports.type=Type
 ports.description=Description
 ports.all_ports=All addresses
+ports.plaintext.desc=On this port plain-text connections are established, which, depending on configurable {0}security settings{1}, can (or must) be upgraded to encrypted connections.
+ports.legacymode.desc=Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the {0}security settings{1}.
 ports.client_to_server=Client to server
-ports.client_to_server.desc=The standard port for clients to connect to the server. Connections may or may not be \
-  encrypted. You can update the {0}security settings{1} for this port.
-ports.client_to_server.desc_old_ssl=The port used for clients to connect to the server using the old SSL method. \
-  The old SSL method is not an XMPP standard method and will be deprecated in the future.  You can update the \
-  {0}security  settings{1} for this port.
+ports.client_to_server.desc=The standard port for clients to connect to the server.
+ports.client_to_server.desc_old_ssl=The port used for clients to connect to the server using the old SSL/TLS method.
 ports.server_to_server=Server to Server
-ports.server_to_server.desc=The port used for {0}remote servers{1} to connect to this server.
+ports.server_to_server.desc=The port used for remote servers to connect to this server.
 ports.connection_manager=Connection Manager
-ports.connection_manager.desc=The port used for {0}connection managers{1} to connect to the server.
+ports.connection_manager.desc=The port used for connection managers to connect to the server.
+ports.connection_manager.desc_old_ssl=The port used for connection managers to the server using the old SSL/TLS method.
 ports.external_components=External Components
-ports.external_components.desc=The port used for {0}external components{1} to connect to the server.
+ports.external_components.desc=The port used for external components to connect to the server.
+ports.external_components.desc_old_ssl=The port used for external components to the server using the old SSL/TLS method.
 ports.admin_console=Admin Console
 ports.admin_console.desc_unsecured=The port used for unsecured Admin Console access.
 ports.admin_console.desc_secured=The port used for secured Admin Console access.
@@ -2258,15 +2259,17 @@ ssl.import.certificate.keystore.private-key=Content of Private Key file:
 ssl.import.certificate.keystore.certificate=Content of Certificate file:
 ssl.import.certificate.keystore.error.private-key=Please specify the content of the private key.
 ssl.import.certificate.keystore.error.certificate=Please specify the content of the certificate to import.
-ssl.import.certificate.keystore.error.import=There was an error one importing private key and signed certificate.
+ssl.import.certificate.keystore.error.import=There was an error while trying to import the private key and signed certificate.
 
 # Import truststore certificate page
 
-ssl.import.certificate.keystore.error.type=Type has not been specified (or is unrecognized).
-ssl.import.certificate.keystore.error.alias-missing=Please provide an alias for this certificate.
-ssl.import.certificate.keystore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
-ssl.import.certificate.keystore.c2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during client-to-server communication.
-ssl.import.certificate.keystore.s2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during server-to-server communication.
+ssl.import.certificate.truststore.boxtitle=Import CA Certificate
+ssl.import.certificate.truststore.error.connection-type=Connection Type has not been specified (or is unrecognized).
+ssl.import.certificate.truststore.error.alias-missing=Please provide an alias for this certificate.
+ssl.import.certificate.truststore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
+ssl.import.certificate.truststore.error.certificate=Please specify the content of the certificate to import.
+ssl.import.certificate.truststore.error.import=There was an error while trying to import the certificate.
+ssl.import.certificate.truststore.intro=Use the form below to import a certificate that represents a trusted party that can be used when verifying peer certificates while establishing encrypted communication.
 
 # Room Occupants Page
 

src/i18n/openfire_i18n_pt_BR.properties

@@ -2210,18 +2210,19 @@ ports.port=Porta
 ports.type=Tipo
 ports.description=Descri\u00e7\u00e3o
 ports.all_ports=Todos Endere\u00e7os
+ports.plaintext.desc=On this port plain-text connections are established, which, depending on configurable {0}security settings{1}, can (or must) be upgraded to encrypted connections.
+ports.legacymode.desc=Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the {0}security settings{1}.
 ports.client_to_server=Cliente-Servidor
-ports.client_to_server.desc=Porta padr\u00e3o para conex\u00e3o ao servidor. Conex\u00f5es podem ou n\u00e3o serem encriptadas.\
- Voc� pode alterar as {0}configura\u00e7\u00f5es de seguran\u00e7a{1} para esta porta.
-ports.client_to_server.desc_old_ssl=A Porta utilizadas pelos clientes para se conectarem utilizando o antigo SSL. \
-  O antigo SSL n\u00e3o \u00e9 padr\u00e3o XMPP e cair\u00e1 em desuso. Voc\u00ea pode atualizar as \
-  {0}configura��es de seguran�a{1} para esta porta.
+ports.client_to_server.desc=Porta padr\u00e3o para conex\u00e3o ao servidor. Conex\u00f5es podem ou n\u00e3o serem encriptadas.
+ports.client_to_server.desc_old_ssl=A Porta utilizadas pelos clientes para se conectarem utilizando o antigo SSL.
 ports.server_to_server=Servidor-Servidor
-ports.server_to_server.desc=A Porta utilizada por {0}servidores remotos{1} para connectarem-se a este servidor.
+ports.server_to_server.desc=A Porta utilizada por servidores remotos para connectarem-se a este servidor.
 ports.connection_manager=Gerenciador de Conex\u00f5es
-ports.connection_manager.desc=A Porta utilizada para {0}Gerenciadores de Conex\u00e3o{1} se conectarem a este servidor.
+ports.connection_manager.desc=A Porta utilizada para Gerenciadores de Conex\u00e3o se conectarem a este servidor.
+ports.connection_manager.desc_old_ssl=The port used for connection managers to the server using the old SSL/TLS method.
 ports.external_components=Componentes Externos
-ports.external_components.desc=A Porta utilizada para {0}componentes externos{1} para conectarem-se a este servidor.
+ports.external_components.desc=A Porta utilizada para componentes externos para conectarem-se a este servidor.
+ports.external_components.desc_old_ssl=The port used for external components to the server using the old SSL/TLS method.
 ports.admin_console=Console Administrativo
 ports.admin_console.desc_unsecured=Porta utilizada para conex\u00e3o insegura ao Console Administrativo.
 ports.admin_console.desc_secured=Porta utilizada para conex\u00e3o segura ao Console Administrativo.
@@ -2290,15 +2291,17 @@ ssl.import.certificate.keystore.private-key=Content of Private Key file:
 ssl.import.certificate.keystore.certificate=Content of Certificate file:
 ssl.import.certificate.keystore.error.private-key=Please specify the content of the private key.
 ssl.import.certificate.keystore.error.certificate=Please specify the content of the certificate to import.
-ssl.import.certificate.keystore.error.import=There was an error one importing private key and signed certificate.
+ssl.import.certificate.keystore.error.import=There was an error while trying to import the private key and signed certificate.
 
 # Import truststore certificate page
 
-ssl.import.certificate.keystore.error.type=Type has not been specified (or is unrecognized).
-ssl.import.certificate.keystore.error.alias-missing=Please provide an alias for this certificate.
-ssl.import.certificate.keystore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
-ssl.import.certificate.keystore.c2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during client-to-server communication.
-ssl.import.certificate.keystore.s2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during server-to-server communication.
+ssl.import.certificate.truststore.boxtitle=Import CA Certificate
+ssl.import.certificate.truststore.error.connection-type=Connection Type has not been specified (or is unrecognized).
+ssl.import.certificate.truststore.error.alias-missing=Please provide an alias for this certificate.
+ssl.import.certificate.truststore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
+ssl.import.certificate.truststore.error.certificate=Please specify the content of the certificate to import.
+ssl.import.certificate.truststore.error.import=There was an error while trying to import the certificate.
+ssl.import.certificate.truststore.intro=Use the form below to import a certificate that represents a trusted party that can be used when verifying peer certificates while establishing encrypted communication.
 
 # Room Occupants Page
 

src/i18n/openfire_i18n_sk.properties

@@ -2157,15 +2157,19 @@ ports.port=Port
 ports.type=Typ
 ports.description=Popis
 ports.all_ports=V\u0161etky adresy
+ports.plaintext.desc=On this port plain-text connections are established, which, depending on configurable {0}security settings{1}, can (or must) be upgraded to encrypted connections.
+ports.legacymode.desc=Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the {0}security settings{1}.
 ports.client_to_server=Klient-server
-ports.client_to_server.desc=\u0160tandardn\u00fd port, na ktor\u00fd sa klienti prip\u00e1jaj\u00fa k serveru. Spojenia m\u00f4\u017eu a nemusia by\u0165 \u0161ifrovan\u00e9. M\u00f4\u017eete aktualizova\u0165 {0}bezpe\u010dnostn\u00e9 nastavenia{1} tohto portu.
-ports.client_to_server.desc_old_ssl=Port, ktor\u00fd klienti pou\u017e\u00edvaj\u00fa na pripojenie k serveru pomocou SSL. Star\u00fd sp\u00f4sob pripojenia pomocou SSL nie je \u0161tandardn\u00fd pre XMPP a v bud\u00facnosti bude odstr\u00e1nen\u00fd. M\u00f4\u017eete aktualizova\u0165 {0}bezpe\u010dnostn\u00e9 nastavenia{1} pre tento port.
+ports.client_to_server.desc=\u0160tandardn\u00fd port, na ktor\u00fd sa klienti prip\u00e1jaj\u00fa k serveru.
+ports.client_to_server.desc_old_ssl=Port, ktor\u00fd klienti pou\u017e\u00edvaj\u00fa na pripojenie k serveru pomocou SSL.
 ports.server_to_server=Server-server
-ports.server_to_server.desc=Port, ktor\u00fd {0}Vzdialen\u00e9 servery{1} pou\u017e\u00edvaj\u00fa na pripojenie k tomuto serveru.
+ports.server_to_server.desc=Port, ktor\u00fd Vzdialen\u00e9 servery pou\u017e\u00edvaj\u00fa na pripojenie k tomuto serveru.
 ports.connection_manager=Spr\u00e1vca spojen\u00ed
-ports.connection_manager.desc=Port, ktor\u00fd {0}Spr\u00e1vcovia spojenia{1} pou\u017e\u00edvaj\u00fa na pripojenie k tomuto serveru.
+ports.connection_manager.desc=Port, ktor\u00fd Spr\u00e1vcovia spojenia pou\u017e\u00edvaj\u00fa na pripojenie k tomuto serveru.
+ports.connection_manager.desc_old_ssl=The port used for connection managers to the server using the old SSL/TLS method.
 ports.external_components=Vonkaj\u0161ie komponenty
-ports.external_components.desc=Port, ktor\u00fd {0}Extern\u00e9 komponenty{1} pou\u017e\u00edvaj\u00fa na pripojenie k tomuto serveru.
+ports.external_components.desc=Port, ktor\u00fd Extern\u00e9 komponenty pou\u017e\u00edvaj\u00fa na pripojenie k tomuto serveru.
+ports.external_components.desc_old_ssl=The port used for external components to the server using the old SSL/TLS method.
 ports.admin_console=Konzola spr\u00e1vcu
 ports.admin_console.desc_unsecured=Tento port sa pou\u017e\u00edva na nezabezpe\u010den\u00fd pr\u00edstup ku Konzole spr\u00e1vcu.
 ports.admin_console.desc_secured=Tento port sa pou\u017e\u00edva na zabezpe\u010den\u00fd pr\u00edstup ku Konzole spr\u00e1vcu.
@@ -2224,11 +2228,13 @@ ssl.import.certificate.keystore.error.import=Pri importovan\u00ed priv\u00e1tneh
 
 # Import truststore certificate page
 
-ssl.import.certificate.keystore.error.type=Type has not been specified (or is unrecognized).
-ssl.import.certificate.keystore.error.alias-missing=Please provide an alias for this certificate.
-ssl.import.certificate.keystore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
-ssl.import.certificate.keystore.c2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during client-to-server communication.
-ssl.import.certificate.keystore.s2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during server-to-server communication.
+ssl.import.certificate.truststore.boxtitle=Import CA Certificate
+ssl.import.certificate.truststore.error.connection-type=Connection Type has not been specified (or is unrecognized).
+ssl.import.certificate.truststore.error.alias-missing=Please provide an alias for this certificate.
+ssl.import.certificate.truststore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
+ssl.import.certificate.truststore.error.certificate=Please specify the content of the certificate to import.
+ssl.import.certificate.truststore.error.import=There was an error while trying to import the certificate.
+ssl.import.certificate.truststore.intro=Use the form below to import a certificate that represents a trusted party that can be used when verifying peer certificates while establishing encrypted communication.
 
 # Room Occupants Page
 

src/i18n/openfire_i18n_zh_CN.properties

@@ -2110,15 +2110,19 @@ ports.port=\u7aef\u53e3
 ports.type=\u7c7b\u578b
 ports.description=\u63cf\u8ff0
 ports.all_ports=\u6240\u6709\u7684\u5730\u5740
+ports.plaintext.desc=On this port plain-text connections are established, which, depending on configurable {0}security settings{1}, can (or must) be upgraded to encrypted connections.
+ports.legacymode.desc=Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the {0}security settings{1}.
 ports.client_to_server=\u5ba2\u6237\u7aef\u5230\u670d\u52a1\u5668
-ports.client_to_server.desc=\u5ba2\u6237\u7aef\u4f7f\u7528\u6807\u51c6\u7aef\u53e3\u8fde\u63a5\u5230\u670d\u52a1\u5668\uff0c\u8fde\u63a5\u53ef\u80fd\u6ca1\u6709\u52a0\u5bc6\uff0c\u60a8\u53ef\u4ee5\u66f4\u65b0{0}\u5b89\u5168\u8bbe\u7f6e{1} \u4e3a\u8fd9\u4e2a\u7aef\u53e3
-ports.client_to_server.desc_old_ssl=\u5ba2\u6237\u7aef\u4f7f\u7528\u65e7\u7684SSL\u65b9\u6cd5\u8fde\u63a5\u5230\u670d\u52a1\u5668\u7684\u7aef\u53e3\u3002\u65e7\u7684SSL\u65b9\u6cd5\u4e0d\u662f\u4e00\u4e2aXMPP\u6807\u51c6\u65b9\u6cd5\uff0c\u5728\u4e0d\u4e45\u5c06\u4e0d\u88ab\u652f\u6301\uff0c\u60a8\u53ef\u4ee5\u66f4\u65b0{0}\u5b89\u5168\u8bbe\u7f6e{1} \u4e3a\u8fd9\u4e2a\u7aef\u53e3
+ports.client_to_server.desc=The standard port for clients to connect to the server.
+ports.client_to_server.desc_old_ssl=The port used for clients to connect to the server using the old SSL/TLS method.
 ports.server_to_server=\u670d\u52a1\u5668\u5230\u670d\u52a1\u5668
-ports.server_to_server.desc=\u7aef\u53e3\u4f7f\u7528 {0}\u8fdc\u7a0b\u670d\u52a1\u5668{1} \u8fde\u63a5\u5230\u8fd9\u53f0\u670d\u52a1\u5668.
+ports.server_to_server.desc=\u7aef\u53e3\u4f7f\u7528\u8fdc\u7a0b\u670d\u52a1\u5668\u8fde\u63a5\u5230\u8fd9\u53f0\u670d\u52a1\u5668.
 ports.connection_manager=\u8fde\u63a5\u7ba1\u7406
-ports.connection_manager.desc=\u7aef\u53e3\u4f7f\u7528 {0}\u8fde\u63a5\u7ba1\u7406\u5668{1} \u8fde\u63a5\u5230\u8fd9\u53f0\u670d\u52a1\u5668.
+ports.connection_manager.desc=\u7aef\u53e3\u4f7f\u7528\u8fde\u63a5\u7ba1\u7406\u5668\u8fde\u63a5\u5230\u8fd9\u53f0\u670d\u52a1\u5668.
+ports.connection_manager.desc_old_ssl=The port used for connection managers to the server using the old SSL/TLS method.
 ports.external_components=\u5916\u90e8\u7ec4\u4ef6
-ports.external_components.desc=\u7aef\u53e3\u4f7f\u7528 {0}\u5916\u90e8\u7ec4\u4ef6{1} \u8fde\u63a5\u5230\u8fd9\u53f0\u670d\u52a1\u5668.
+ports.external_components.desc=\u7aef\u53e3\u4f7f\u7528\u5916\u90e8\u7ec4\u4ef6\u8fde\u63a5\u5230\u8fd9\u53f0\u670d\u52a1\u5668.
+ports.external_components.desc_old_ssl=The port used for external components to the server using the old SSL/TLS method.
 ports.admin_console=\u7ba1\u7406\u63a7\u5236\u53f0
 ports.admin_console.desc_unsecured=\u7aef\u53e3\u4f7f\u7528\u4e0d\u5b89\u5168\u7684\u7ba1\u7406\u63a7\u5236\u53f0\u8bbf\u95ee.
 ports.admin_console.desc_secured=\u7aef\u53e3\u4f7f\u7528\u5b89\u5168\u7684\u7ba1\u7406\u63a7\u5236\u53f0\u8bbf\u95ee.
@@ -2186,11 +2190,13 @@ ssl.import.certificate.keystore.error.import=There was an error one importing pr
 
 # Import truststore certificate page
 
-ssl.import.certificate.keystore.error.type=Type has not been specified (or is unrecognized).
-ssl.import.certificate.keystore.error.alias-missing=Please provide an alias for this certificate.
-ssl.import.certificate.keystore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
-ssl.import.certificate.keystore.c2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during client-to-server communication.
-ssl.import.certificate.keystore.s2s-intro=Use the form below to import a certificate that represents a trusted party, to be used when verifying certificates during server-to-server communication.
+ssl.import.certificate.truststore.boxtitle=Import CA Certificate
+ssl.import.certificate.truststore.error.connection-type=Connection Type has not been specified (or is unrecognized).
+ssl.import.certificate.truststore.error.alias-missing=Please provide an alias for this certificate.
+ssl.import.certificate.truststore.error.alias-exists=A certificate is already stored using this alias. Please provide a different alias, or remove the existing certificate.
+ssl.import.certificate.truststore.error.certificate=Please specify the content of the certificate to import.
+ssl.import.certificate.truststore.error.import=There was an error while trying to import the certificate.
+ssl.import.certificate.truststore.intro=Use the form below to import a certificate that represents a trusted party that can be used when verifying peer certificates while establishing encrypted communication.
 
 # Room Occupants Page
 

src/java/org/jivesoftware/admin/InfoboxTag.java

-package org.jivesoftware.admin;
-
-import javax.servlet.jsp.JspException;
-import javax.servlet.jsp.tagext.BodyTagSupport;
-import java.io.IOException;
-
-public class InfoboxTag extends BodyTagSupport {
-
-    private String type; // success, error, warning
-
-    public String getType() {
-        return type;
-    }
-
-    public void setType(String type) {
-        this.type = type;
-    }
-
-    @Override
-    public int doEndTag() throws JspException {
-
-        String body = "<div class=\"jive-"+type+"\">\n" +
-        "    <table cellpadding=\"0\" cellspacing=\"0\" border=\"0\">\n" +
-        "        <tbody>\n" +
-        "        <tr><td class=\"jive-icon\"><img src=\"images/"+type+"-16x16.gif\" width=\"16\" height=\"16\" border=\"0\" alt=\"\"/></td>\n" +
-        "            <td class=\"jive-icon-label\">\n" +
-                        bodyContent.getString() +
-        "            </td></tr>\n" +
-        "        </tbody>\n" +
-        "   </table>\n" +
-        "</div><br>\n";
-
-        try {
-            pageContext.getOut().write( body );
-        }
-        catch (IOException ioe) {
-            throw new JspException(ioe.getMessage());
-        }
-
-        return super.doEndTag();
-    }
-}

src/java/org/jivesoftware/openfire/Connection.java

@@ -26,6 +26,7 @@ import java.security.cert.Certificate;
 
 import org.jivesoftware.openfire.auth.UnauthorizedException;
 import org.jivesoftware.openfire.session.LocalSession;
+import org.jivesoftware.openfire.spi.ConnectionConfiguration;
 import org.xmpp.packet.Packet;
 
 /**
@@ -339,9 +340,26 @@ public interface Connection extends Closeable {
      *       otherwise a {@link org.jivesoftware.openfire.net.ServerTrustManager} will be used.
      * @param authentication policy to use for authenticating the remote peer.
      * @throws Exception if an error occured while securing the connection.
+     * @deprecated Use {@link #startTLS(boolean)} instead.
      */
+    @Deprecated
     void startTLS(boolean clientMode, String remoteServer, ClientAuth authentication) throws Exception;
 
+    /**
+     * Secures the plain connection by negotiating TLS with the other peer. In a server-2-server
+     * connection the server requesting the TLS negotiation will be the client and the other server
+     * will be the server during the TLS negotiation. Therefore, the server requesting the TLS
+     * negotiation must pass <code>true</code> in the <tt>clientMode</tt> parameter and the server
+     * receiving the TLS request must pass <code>false</code> in the <tt>clientMode</tt> parameter.<p>
+     *
+     * In the case of client-2-server the XMPP server must pass <code>false</code> in the
+     * <tt>clientMode</tt> parameter since it will behave as the server in the TLS negotiation.
+     *
+     * @param clientMode boolean indicating if this entity is a client or a server in the TLS negotiation.
+     * @throws Exception if an error occured while securing the connection.
+     */
+    void startTLS(boolean clientMode) throws Exception;
+
     /**
      * Adds the compression filter to the connection but only filter incoming traffic. Do not filter
      * outgoing traffic since we still need to send an uncompressed stanza to the client indicating
@@ -357,6 +375,15 @@ public interface Connection extends Closeable {
      */
     void startCompression();
 
+    /**
+     * Returns a representation of the desired state for this connection. Note that this is different from the current
+     * state of the connection. For example, TLS can be required by configuration, but while the connection has yet to
+     * be fully initialized, the current state might not be TLS-encrypted.
+     *
+     * @return The desired configuration for the connection (never null).
+     */
+    ConnectionConfiguration getConfiguration();
+
     /**
      * Enumeration of possible compression policies required to interact with the server.
      */
@@ -395,7 +422,14 @@ public interface Connection extends Closeable {
          * TLS is not available. Entities that request a TLS negotiation will get a stream
          * error and their connections will be closed.
          */
-        disabled
+        disabled,
+
+        /**
+         * A policy that requires connections to be encrypted immediately (as opposed to the
+         * 'required' policy, that allows for an initially unencrypted connection to become
+         * encrypted through StartTLS.
+         */
+        legacyMode
     }
 
     /**

src/java/org/jivesoftware/openfire/ConnectionManager.java

@@ -48,15 +48,27 @@ public interface ConnectionManager {
      * The default XMPP port for external components.
      */
     final int DEFAULT_COMPONENT_PORT = 5275;
+
+    /**
+     * The XMPP port for external components using SSL traffic.
+     */
+    final int DEFAULT_COMPONENT_SSL_PORT = 5276;
+
     /**
      * The default XMPP port for server2server communication.
      */
     final int DEFAULT_SERVER_PORT = 5269;
+
     /**
      * The default XMPP port for connection multiplex.
      */
     final int DEFAULT_MULTIPLEX_PORT = 5262;
 
+    /**
+     * The default XMPP port for connection multiplex.
+     */
+    final int DEFAULT_MULTIPLEX_SSL_PORT = 5263;
+
     /**
      * Returns an array of the ports managed by this connection manager.
      *
@@ -65,21 +77,6 @@ public interface ConnectionManager {
      */
     public Collection<ServerPort> getPorts();
 
-    /**
-     * Creates a new socket reader for the new accepted socket to be managed
-     * by the connection manager.
-     *
-     * @param socket the new accepted socket by this manager.
-     * @param isSecure true if the connection is secure.
-     * @param serverPort holds information about the port on which the server is listening for
-     *        connections.
-     * @param useBlockingMode true means that the server will use a thread per connection.
-     * @return the created socket reader.
-     * @throws java.io.IOException when there is an error creating the socket reader.
-     */
-    public SocketReader createSocketReader(Socket socket, boolean isSecure, ServerPort serverPort,
-            boolean useBlockingMode) throws IOException;
-
     /**
      * Sets if the port listener for unsecured clients will be available or not. When disabled
      * there won't be a port listener active. Therefore, new clients won't be able to connect to

src/java/org/jivesoftware/openfire/ServerPort.java

@@ -30,7 +30,9 @@ import java.util.List;
  * regarding the port while hiding implementation details.
  *
  * @author Iain Shigeoka
+ * @Deprecated
  */
+@Deprecated
 public class ServerPort {
 
     private int port;

src/java/org/jivesoftware/openfire/clearspace/ClearspaceManager.java

@@ -69,6 +69,7 @@ import org.dom4j.DocumentHelper;
 import org.dom4j.Element;
 import org.dom4j.Node;
 import org.dom4j.io.XMPPPacketReader;
+import org.jivesoftware.openfire.ConnectionManager;
 import org.jivesoftware.openfire.IQRouter;
 import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.XMPPServerInfo;
@@ -86,6 +87,9 @@ import org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl;
 import org.jivesoftware.openfire.net.MXParser;
 import org.jivesoftware.openfire.session.ComponentSession;
 import org.jivesoftware.openfire.session.LocalClientSession;
+import org.jivesoftware.openfire.spi.ConnectionConfiguration;
+import org.jivesoftware.openfire.spi.ConnectionManagerImpl;
+import org.jivesoftware.openfire.spi.ConnectionType;
 import org.jivesoftware.openfire.user.UserNotFoundException;
 import org.jivesoftware.util.AlreadyExistsException;
 import org.jivesoftware.util.CertificateEventListener;
@@ -778,12 +782,14 @@ public class ClearspaceManager extends BasicModule implements ExternalComponentM
     private void updateClearspaceClientSettings() {
         String xmppBoshSslPort = "0";
         String xmppBoshPort = "0";
-        String xmppPort = String.valueOf(XMPPServer.getInstance().getConnectionManager().getClientListenerPort());
+        final ConnectionManagerImpl connectionManager = ( (ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager() );
+        final ConnectionConfiguration configuration = connectionManager.getListener( ConnectionType.SOCKET_C2S, false ).generateConnectionConfiguration();
+        String xmppPort = String.valueOf( configuration.getPort() );
         if (JiveGlobals.getBooleanProperty(HttpBindManager.HTTP_BIND_ENABLED, HttpBindManager.HTTP_BIND_ENABLED_DEFAULT)) {
             int boshSslPort = HttpBindManager.getInstance().getHttpBindSecurePort();
             int boshPort = HttpBindManager.getInstance().getHttpBindUnsecurePort();
             try {
-                if (HttpBindManager.getInstance().isHttpsBindActive() && LocalClientSession.getTLSPolicy() != org.jivesoftware.openfire.Connection.TLSPolicy.disabled) {
+                if (HttpBindManager.getInstance().isHttpsBindActive() && configuration.getTlsPolicy() != org.jivesoftware.openfire.Connection.TLSPolicy.disabled) {
                     xmppBoshSslPort = String.valueOf(boshSslPort);
                 }
             }

src/java/org/jivesoftware/openfire/clearspace/SSLProtocolSocketFactory.java

@@ -35,8 +35,9 @@ import org.apache.commons.httpclient.ConnectTimeoutException;
 import org.apache.commons.httpclient.HttpClientError;
 import org.apache.commons.httpclient.params.HttpConnectionParams;
 import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
-import org.jivesoftware.openfire.keystore.Purpose;
-import org.jivesoftware.openfire.net.SSLConfig;
+import org.jivesoftware.openfire.XMPPServer;
+import org.jivesoftware.openfire.keystore.CertificateStoreManager;
+import org.jivesoftware.openfire.spi.ConnectionType;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -63,19 +64,19 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
 
     private SSLContext createSSLContext(String host) {
         try {
-            SSLContext context = SSLContext.getInstance("SSL");
+            final SSLContext context = SSLContext.getInstance( "TLSv1" );
             context.init(
                     null,
                     new TrustManager[] {
                             new ClearspaceX509TrustManager(
                                     host,
                                     manager.getProperties(),
-                                    SSLConfig.getStore( Purpose.ADMINISTRATIVE_TRUSTSTORE ) )
+                                    XMPPServer.getInstance().getCertificateStoreManager().getTrustStore( ConnectionType.SOCKET_S2S ).getStore() )
                     },
                     null);
             return context;
         } catch (Exception e) {
-            Log.error(e.getMessage(), e);
+            Log.error("An exception occurred while trying to create an SSL Context for host: '"+host+"'", e);
             throw new HttpClientError(e.toString());
         }
     }

src/java/org/jivesoftware/openfire/http/HttpSession.java

@@ -46,6 +46,7 @@ import org.jivesoftware.openfire.net.MXParser;
 import org.jivesoftware.openfire.net.SASLAuthentication;
 import org.jivesoftware.openfire.net.VirtualConnection;
 import org.jivesoftware.openfire.session.LocalClientSession;
+import org.jivesoftware.openfire.spi.ConnectionConfiguration;
 import org.jivesoftware.util.JiveConstants;
 import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.util.TaskEngine;
@@ -1101,6 +1102,7 @@ public class HttpSession extends LocalClientSession {
     public static class HttpVirtualConnection extends VirtualConnection {
 
         private InetAddress address;
+        private ConnectionConfiguration configuration;
 
         public HttpVirtualConnection(InetAddress address) {
             this.address = address;
@@ -1141,6 +1143,11 @@ public class HttpSession extends LocalClientSession {
             ((HttpSession) session).deliver(text);
         }
 
+        @Override
+        public ConnectionConfiguration getConfiguration() {
+            return session.getConnection().getConfiguration();
+        }
+
         @Override
 		public Certificate[] getPeerCertificates() {
             return ((HttpSession) session).getPeerCertificates();

src/java/org/jivesoftware/openfire/keystore/CertificateStoreConfig.java → src/java/org/jivesoftware/openfire/keystore/CertificateStore.java

 package org.jivesoftware.openfire.keystore;
 
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.jivesoftware.openfire.net.SSLConfig;
-import org.jivesoftware.util.CertificateEventListener;
+import org.jivesoftware.openfire.spi.ConnectionType;
 import org.jivesoftware.util.JiveGlobals;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -24,8 +23,8 @@ import java.util.*;
  *
  * A subclass of this class exists for each of the two distinct types of key store.
  * <ul>
- *     <li>one that is used to provide credentials, an <em>identity store</em>, in {@link IdentityStoreConfig}</li>
- *     <li>one that is used to verify credentials, a <em>trust store</em>, in {@link TrustStoreConfig}</li>
+ *     <li>one that is used to provide credentials, an <em>identity store</em>, in {@link IdentityStore}</li>
+ *     <li>one that is used to verify credentials, a <em>trust store</em>, in {@link TrustStore}</li>
  * </ul>
  *
  * Note that in Java terminology, an identity store is commonly referred to as a 'key store', while the same name is
@@ -34,9 +33,9 @@ import java.util.*;
  *
  * @author Guus der Kinderen, guus.der.kinderen@gmail.com
  */
-public abstract class CertificateStoreConfig
+public abstract class CertificateStore
 {
-    private static final Logger Log = LoggerFactory.getLogger( CertificateStoreConfig.class );
+    private static final Logger Log = LoggerFactory.getLogger( CertificateStore.class );
 
     protected static final Provider PROVIDER = new BouncyCastleProvider();
 
@@ -47,39 +46,41 @@ public abstract class CertificateStoreConfig
     }
 
     protected final KeyStore store;
-    protected final char[] password;
-    protected final String canonicalPath;
+    protected final CertificateStoreConfiguration configuration;
 
-    public CertificateStoreConfig( String path, String password, String type, boolean createIfAbsent ) throws CertificateStoreConfigException
+    public CertificateStore( CertificateStoreConfiguration configuration, boolean createIfAbsent ) throws CertificateStoreConfigException
     {
+        if (configuration == null)
+        {
+            throw new IllegalArgumentException( "Argument 'configuration' cannot be null." );
+        }
+
+        this.configuration = configuration;
         try
         {
-            this.canonicalPath = SSLConfig.canonicalize( path );
-            final File file = new File( canonicalPath );
+            final File file = configuration.getFile();
 
             if ( createIfAbsent && !file.exists() )
             {
-                try ( final FileOutputStream os = new FileOutputStream( canonicalPath ) )
+                try ( final FileOutputStream os = new FileOutputStream( file.getPath() ) )
                 {
-                    store = KeyStore.getInstance( type );
-                    store.load( null, password.toCharArray() );
-                    store.store( os, password.toCharArray() );
-                    this.password = password.toCharArray();
+                    store = KeyStore.getInstance( configuration.getType() );
+                    store.load( null, configuration.getPassword() );
+                    store.store( os, configuration.getPassword() );
                 }
             }
             else
             {
-                try ( final FileInputStream is = new FileInputStream( canonicalPath ) )
+                try ( final FileInputStream is = new FileInputStream( file ) )
                 {
-                    store = KeyStore.getInstance( type );
-                    store.load( is, password.toCharArray() );
-                    this.password = password.toCharArray();
+                    store = KeyStore.getInstance( configuration.getType() );
+                    store.load( is, configuration.getPassword() );
                 }
             }
         }
         catch ( IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException ex )
         {
-            throw new CertificateStoreConfigException( "Unable to load store of type '" + type + "' from location '" + path + "'", ex );
+            throw new CertificateStoreConfigException( "Unable to load store of type '" + configuration.getType() + "' from file '" + configuration.getFile() + "'", ex );
         }
     }
 
@@ -89,13 +90,13 @@ public abstract class CertificateStoreConfig
      */
     public void reload() throws CertificateStoreConfigException
     {
-        try ( final FileInputStream is = new FileInputStream( canonicalPath ) )
+        try ( final FileInputStream is = new FileInputStream( configuration.getFile() ) )
         {
-            store.load( is, password );
+            store.load( is, configuration.getPassword() );
         }
         catch ( IOException | NoSuchAlgorithmException | CertificateException ex )
         {
-            throw new CertificateStoreConfigException( "Unable to reload store in location '" + canonicalPath + "'", ex );
+            throw new CertificateStoreConfigException( "Unable to reload store in '" + configuration.getFile() + "'", ex );
         }
     }
 
@@ -105,13 +106,13 @@ public abstract class CertificateStoreConfig
      */
     public void persist() throws CertificateStoreConfigException
     {
-        try ( final FileOutputStream os = new FileOutputStream( canonicalPath ) )
+        try ( final FileOutputStream os = new FileOutputStream( configuration.getFile() ) )
         {
-            store.store( os, password );
+            store.store( os, configuration.getPassword() );
         }
         catch ( NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException ex )
         {
-            throw new CertificateStoreConfigException( "Unable to save changes to store in location '" + canonicalPath + "'", ex );
+            throw new CertificateStoreConfigException( "Unable to save changes to store in '" + configuration.getFile() + "'", ex );
         }
     }
 
@@ -177,31 +178,13 @@ public abstract class CertificateStoreConfig
         // TODO: Notify listeners that a new certificate has been removed.
     }
 
-    public String getType()
-    {
-        return store.getType();
-    }
-
     public KeyStore getStore()
     {
         return store;
     }
 
-    public String getPassword()
-    {
-        return String.valueOf( password );
-    }
-
-    public String getCanonicalPath()
-    {
-        return canonicalPath;
-    }
-
-    public String getPath()
+    public CertificateStoreConfiguration getConfiguration()
     {
-        final Path path = Paths.get( canonicalPath );
-        final Path home = Paths.get( JiveGlobals.getHomeDirectory() );
-        final Path corrected = path.startsWith( home ) ? home.relativize( path ) : path;
-        return corrected.toString();
+        return configuration;
     }
 }

src/java/org/jivesoftware/openfire/keystore/CertificateStoreConfiguration.java

+package org.jivesoftware.openfire.keystore;
+
+import java.io.File;
+import java.nio.file.Path;
+import java.util.Arrays;
+
+/**
+ * Certificate stores are configured using a defined set of properties. This is a wrapper class for all of them.
+ *
+ * Instances of this class are immutable and safe for use by multiple concurrent threads.
+ *
+ * @author Guus der Kinderen, guus.der.kinderen@gmail.com
+ */
+public class CertificateStoreConfiguration
+{
+    protected final String type;
+    protected final File file;
+    protected final char[] password;
+
+    /**
+     * Creates a new  instance.
+     *
+     *  @param type The store type (jks, jceks, pkcs12, etc). Cannot be null or an empty string.
+     * @param file  The file-system based representation of the store (cannot be null).
+     * @param password the password used to check the integrity of the store, the password used to unlock the store, or null.
+     */
+    public CertificateStoreConfiguration( String type, File file, char[] password )
+    {
+        if ( type == null || type.isEmpty() )
+        {
+            throw new IllegalArgumentException( "Argument 'type' cannot be null or an empty string." );
+        }
+        if ( file == null )
+        {
+            throw new IllegalArgumentException( "Argument 'file' cannot be null." );
+        }
+        this.type = type;
+        this.file = file;
+        this.password = password;
+    }
+
+    public String getType()
+    {
+        return type;
+    }
+
+    public File getFile()
+    {
+        return file;
+    }
+
+    public char[] getPassword()
+    {
+        return password;
+    }
+
+    @Override
+    public boolean equals( Object o )
+    {
+        if ( this == o )
+        {
+            return true;
+        }
+        if ( !( o instanceof CertificateStoreConfiguration ) )
+        {
+            return false;
+        }
+
+        CertificateStoreConfiguration that = (CertificateStoreConfiguration) o;
+
+        if ( !type.equals( that.type ) )
+        {
+            return false;
+        }
+        if ( !file.equals( that.file ) )
+        {
+            return false;
+        }
+        return Arrays.equals( password, that.password );
+
+    }
+
+    @Override
+    public int hashCode()
+    {
+        int result = type.hashCode();
+        result = 31 * result + file.hashCode();
+        result = 31 * result + ( password != null ? Arrays.hashCode( password ) : 0 );
+        return result;
+    }
+
+    @Override
+    public String toString()
+    {
+        return "CertificateStoreConfiguration{" +
+                "type='" + type + '\'' +
+                ", file=" + file +
+                ", password hashcode=" + password.hashCode() + // java.lang.Array.hashCode inherits from Object. As it is a reference, it should be safe to log and useful enough to compare against other passwords.
+                '}';
+    }
+}

src/java/org/jivesoftware/openfire/keystore/Purpose.java

-package org.jivesoftware.openfire.keystore;
-
-/**
- * Potential intended usages for keystores
- *
- * @author Guus der Kinderen, guus.der.kinderen@gmail.com
- */
-public enum Purpose
-{
-    /**
-     * Identification of this Openfire instance used by regular socket-based connections.
-     */
-    SOCKETBASED_IDENTITYSTORE( false ),
-
-    /**
-     * Identification of remote servers that you choose to trust, applies to server-to-server federation via regular socket-based connections.
-     */
-    SOCKETBASED_S2S_TRUSTSTORE( true ),
-
-    /**
-     * Identification of clients that you choose to trust, applies to mutual authentication via regular socket-based connections.
-     */
-    SOCKETBASED_C2S_TRUSTSTORE( true ),
-
-    /**
-     * Identification of this Openfire instance used by regular BOSH (HTTP-bind) connections.
-     */
-    BOSHBASED_IDENTITYSTORE( false ),
-
-    /**
-     * Identification of clients that you choose to trust, applies to mutual authentication via BOSH (HTTP-bind) connections.
-     */
-    BOSHBASED_C2S_TRUSTSTORE( true ),
-
-    /**
-     * Identification of this Openfire instance used by connections to administrative services (eg: user providers).
-     */
-    ADMINISTRATIVE_IDENTITYSTORE( false ),
-
-    /**
-     * Identification of remote applications/servers that provide administrative functionality (eg: user providers).
-     */
-    ADMINISTRATIVE_TRUSTSTORE( true ),
-
-    /**
-     * Openfire web-admin console.
-     */
-    WEBADMIN_IDENTITYSTORE( false ),
-
-    /**
-     * Openfire web-admin console.
-     */
-    WEBADMIN_TRUSTSTORE( true );
-
-    private final boolean isTrustStore;
-
-    Purpose( boolean isTrustStore )
-    {
-        this.isTrustStore = isTrustStore;
-    }
-
-    public boolean isIdentityStore()
-    {
-        return !isTrustStore;
-    }
-
-    public boolean isTrustStore()
-    {
-        return isTrustStore;
-    }
-}

src/java/org/jivesoftware/openfire/keystore/TrustStoreConfig.java → src/java/org/jivesoftware/openfire/keystore/TrustStore.java

 package org.jivesoftware.openfire.keystore;
 
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.jivesoftware.util.CertificateManager;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
 import java.io.IOException;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.Security;
 import java.security.cert.*;
 import java.util.*;
 
@@ -24,146 +20,19 @@ import java.util.*;
  *
  * @author Guus der Kinderen, guus.der.kinderen@gmail.com
  */
-public class TrustStoreConfig extends CertificateStoreConfig
+public class TrustStore extends CertificateStore
 {
-    private static final Logger Log = LoggerFactory.getLogger( TrustStoreConfig.class );
+    private static final Logger Log = LoggerFactory.getLogger( TrustStore.class );
 
-    private final TrustManagerFactory trustFactory;
-
-    private final CertPathValidator certPathValidator; // not thread safe
-    private final CertificateFactory certificateFactory; // not thread safe.
-
-    public TrustStoreConfig( String path, String password, String type, boolean createIfAbsent ) throws CertificateStoreConfigException
-    {
-        super( path, password, type, createIfAbsent );
-
-        try
-        {
-            certPathValidator = CertPathValidator.getInstance( "PKIX" );
-            certificateFactory = CertificateFactory.getInstance( "X.509" );
-            trustFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
-            trustFactory.init( store );
-        }
-        catch ( CertificateException | NoSuchAlgorithmException | KeyStoreException ex )
-        {
-            throw new CertificateStoreConfigException( "Unable to load store of type '" + type + "' from location '" + path + "'", ex );
-        }
-    }
-
-    public TrustManager[] getTrustManagers()
-    {
-        return trustFactory.getTrustManagers();
-    }
-
-    /**
-     * Returns all valid certificates from the store.
-     *
-     * @return A collection of certificates (possibly empty, but never null).
-     */
-    protected Set<TrustAnchor> getAllValidTrustAnchors() throws KeyStoreException
+    public TrustStore( CertificateStoreConfiguration configuration, boolean createIfAbsent ) throws CertificateStoreConfigException
     {
-        final Set<TrustAnchor> results = new HashSet<>();
-
-        for ( X509Certificate certificate : getAllCertificates().values() )
-        {
-            try
-            {
-                certificate.checkValidity();
-            }
-            catch ( CertificateExpiredException | CertificateNotYetValidException e )
-            {
-                // Not yet or no longer valid. Don't include in result.
-                continue;
-            }
-
-            final TrustAnchor trustAnchor = new TrustAnchor( certificate, null );
-            results.add( trustAnchor );
-        }
-
-        return results;
-    }
-
-    /**
-     * Validates the provided certificate chain, by verifying (among others):
-     * <ul>
-     *     <li>The validity of each certificate in the chain</li>
-     *     <li>chain integrity (matching issuer/subject)</li>
-     *     <li>the root of the chain is validated by a trust anchor that is in this store.</li>
-     * </ul>
-     *
-     * @param chain A chain of certificates (cannot be null)
-     * @return true when the validity of the chain could be verified, otherwise false.
-     */
-    public synchronized boolean canTrust( Collection<X509Certificate> chain )
-    {
-        // Input validation
-        if ( chain == null )
-        {
-            throw new IllegalArgumentException( "Argument 'chain' cannot be null." );
-        }
-
-        if (chain.isEmpty() )
-        {
-            return false;
-        }
-
-        // For some reason, the default validation fails to iterate over all providers and will fail if the default
-        // provider does not support the algorithm of the chain. To work around this issue, this code iterates over
-        // each provider explicitly, returning success when at least one provider validates the chain successfully.
-        Log.debug( "Iterating over all available security providers in order to validate a certificate chain." );
-        for (Provider p : Security.getProviders())
-        {
-            try
-            {
-                final Set<TrustAnchor> trustAnchors = getAllValidTrustAnchors();
-                final CertPath certPath = getCertPath( chain );
-
-                final PKIXParameters parameters = new PKIXParameters( trustAnchors );
-                parameters.setRevocationEnabled( false ); // TODO: enable revocation list validation.
-                parameters.setSigProvider( p.getName() ); // Explicitly iterate over each signature provider. See comment above.
-
-                certPathValidator.validate( certPath, parameters );
-
-                Log.debug( "Provider "+p.getName()+": Able to validate certificate chain." );
-                return true;
-            }
-            catch ( Exception ex )
-            {
-                Log.debug( "Provider "+p.getName()+": Unable to validate certificate chain.", ex );
-            }
-        }
-
-        return false;
-    }
-
-    /**
-     * Creates a CertPath instance from the provided certificate chain.
-     *
-     * This implementation can process unordered input (ordering will by applied).
-     *
-     * @param chain A certificate chain (cannot be null or an empty collection).
-     * @return A CertPath instance (never null).
-     * @throws CertificateException When no CertPath instance could be created.
-     */
-    protected synchronized CertPath getCertPath( Collection<X509Certificate> chain ) throws CertificateException
-    {
-        // Input validation
-        if ( chain == null || chain.isEmpty() )
-        {
-            throw new IllegalArgumentException( "Argument 'chain' cannot be null or empty." );
-        }
-
-        // Note that PKCS#7 does not require a specific order for the certificates in the file - ordering is needed.
-        final List<X509Certificate> ordered = CertificateManager.order( chain );
-
-        return certificateFactory.generateCertPath( ordered );
+        super( configuration, createIfAbsent );
     }
 
     /**
      * Imports one certificate as a trust anchor into this store.
      *
-     * Note that this method explicitly allows one to add invalid certificates. Other methods in this class might ignore
-     * such a certificate ({@link #canTrust(Collection)} being a prime example).
+     * Note that this method explicitly allows one to add invalid certificates.
      *
      * As this store is intended to contain certificates for "most-trusted" / root Certificate Authorities, this method
      * will fail when the PEM representation contains more than one certificate.
@@ -209,9 +78,12 @@ public class TrustStoreConfig extends CertificateStoreConfig
         }
         catch ( CertificateException | KeyStoreException | IOException e )
         {
-            reload(); // reset state of the store.
             throw new CertificateStoreConfigException( "Unable to install a certificate into a trust store.", e );
         }
+        finally
+        {
+            reload(); // re-initialize store.
+        }
 
         // TODO Notify listeners that a new certificate has been added.
     }

src/java/org/jivesoftware/openfire/multiplex/ClientSessionConnection.java

@@ -24,6 +24,9 @@ import org.dom4j.Element;
 import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.net.VirtualConnection;
 import org.jivesoftware.openfire.session.ConnectionMultiplexerSession;
+import org.jivesoftware.openfire.spi.ConnectionConfiguration;
+import org.jivesoftware.openfire.spi.ConnectionManagerImpl;
+import org.jivesoftware.openfire.spi.ConnectionType;
 import org.xmpp.packet.IQ;
 import org.xmpp.packet.Packet;
 
@@ -114,6 +117,14 @@ public class ClientSessionConnection extends VirtualConnection {
     }
 
     @Override
+    public ConnectionConfiguration getConfiguration()
+    {
+        // Here, a client-to-server configuration is mocked. It is likely not used, as actual connection handling takes
+        // place at the connection manager.
+        final ConnectionManagerImpl connectionManager = ((ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager());
+        return connectionManager.getListener( ConnectionType.SOCKET_C2S, true ).generateConnectionConfiguration();
+    }
+
     public byte[] getAddress() throws UnknownHostException {
         if (hostAddress != null) {
             return InetAddress.getByName(hostAddress).getAddress();

src/java/org/jivesoftware/openfire/multiplex/MultiplexerPacketHandler.java

@@ -97,7 +97,7 @@ public class MultiplexerPacketHandler {
                             sendResultPacket(iq);
                         }
                         else {
-                            // Send error to CM. The CM should close the new-borned connection
+                            // Send error to CM. The CM should close the new-born connection
                             sendErrorPacket(iq, PacketError.Condition.not_allowed, null);
                         }
                     }

src/java/org/jivesoftware/openfire/net/BlockingAcceptingMode.java

@@ -35,15 +35,16 @@ import org.slf4j.LoggerFactory;
  * Accepts new socket connections and uses a thread for each new connection.
  *
  * @author Gaston Dombiak
+ * @deprecated Old, pre NIO / MINA code. Should not be used as NIO offers better performance
  */
+@Deprecated
 class BlockingAcceptingMode extends SocketAcceptingMode {
 
 	private static final Logger Log = LoggerFactory.getLogger(BlockingAcceptingMode.class);
 
-    protected BlockingAcceptingMode(ConnectionManager connManager, ServerPort serverPort,
-            InetAddress bindInterface) throws IOException {
-        super(connManager, serverPort);
-        serverSocket = new ServerSocket(serverPort.getPort(), -1, bindInterface);
+    protected BlockingAcceptingMode(int tcpPort, InetAddress bindInterface) throws IOException {
+        super();
+        serverSocket = new ServerSocket(tcpPort, -1, bindInterface);
     }
 
     /**
@@ -57,8 +58,8 @@ class BlockingAcceptingMode extends SocketAcceptingMode {
                 Socket sock = serverSocket.accept();
                 if (sock != null) {
                     Log.debug("Connect " + sock.toString());
-                    SocketReader reader =
-                            connManager.createSocketReader(sock, false, serverPort, true);
+
+                    SocketReader reader = createServerSocketReader(  sock, false, true );
                     Thread thread = new Thread(reader, reader.getName());
                     thread.setDaemon(true);
                     thread.setPriority(Thread.NORM_PRIORITY);

src/java/org/jivesoftware/openfire/net/ClientStanzaHandler.java

@@ -45,8 +45,13 @@ import org.xmpp.packet.Presence;
  */
 public class ClientStanzaHandler extends StanzaHandler {
 
+    public ClientStanzaHandler(PacketRouter router, Connection connection) {
+        super(router, connection);
+    }
+
+    @Deprecated
     public ClientStanzaHandler(PacketRouter router, String serverName, Connection connection) {
-        super(router, serverName, connection);
+        super(router, connection);
     }
 
     /**
@@ -110,12 +115,6 @@ public class ClientStanzaHandler extends StanzaHandler {
 
     @Override
 	void startTLS() throws Exception {
-        Connection.ClientAuth policy;
-        try {
-            policy = Connection.ClientAuth.valueOf(JiveGlobals.getProperty(ConnectionSettings.Client.AUTH_PER_CLIENTCERT_POLICY, "disabled"));
-        } catch (IllegalArgumentException e) {
-            policy = Connection.ClientAuth.disabled;
-        }
-        connection.startTLS(false, null, policy);
+        connection.startTLS(false);
     }
 }

src/java/org/jivesoftware/openfire/net/ClientTrustManager.java

@@ -75,10 +75,6 @@ public class ClientTrustManager implements X509TrustManager {
      * KeyStore that holds the trusted CA
      */
     private KeyStore trustStore;
-    /**
-     * Holds the domain of the remote server we are trying to connect
-     */
-    private String server;
 
     /**
      * Holds the CRL's to validate certs

src/java/org/jivesoftware/openfire/net/MultiplexerStanzaHandler.java

@@ -46,6 +46,11 @@ public class MultiplexerStanzaHandler extends StanzaHandler {
      */
     private MultiplexerPacketHandler packetHandler;
 
+    public MultiplexerStanzaHandler(PacketRouter router, Connection connection) {
+        super(router, connection);
+    }
+
+    @Deprecated
     public MultiplexerStanzaHandler(PacketRouter router, String serverName, Connection connection) {
         super(router, serverName, connection);
     }
@@ -151,7 +156,6 @@ public class MultiplexerStanzaHandler extends StanzaHandler {
 
     @Override
 	void startTLS() throws Exception {
-        // TODO Finish implementation. We need to get the name of the CM if we want to validate certificates of the CM that requested TLS
-        connection.startTLS(false, "IMPLEMENT_ME", Connection.ClientAuth.disabled);
+        connection.startTLS(false);
     }
 }

src/java/org/jivesoftware/openfire/session/LocalComponentSession.java

@@ -50,6 +50,7 @@ import org.xmpp.packet.StreamError;
  *
  * @author Gaston Dombiak
  */
+// TODO implement TLS and observe org.jivesoftware.openfire.session.ConnectionSettings.Component.TLS_POLICY
 public class LocalComponentSession extends LocalSession implements ComponentSession {
 
 	private static final Logger Log = LoggerFactory.getLogger(LocalComponentSession.class);