Security question: "starttls required" ignored while authenticating

Hi everybody.

I have an OpenFire server with the "Client Connection Security" option under "Server Settings"/"Security Settings" set to "Required".

In my understanding this forces the server to accept only TLS connections from the clients.

But if a client doesn't send the starttls command, the server accepts unencrypted connections. This is the trace:

# the client starts the connection

SENT: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" id="fc08c8ec" xmlns="jabber:client" to="numero5" version="1.0">

# the server replies with required starttls

RECV: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="numero5" id="7b311ecf" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>DIGEST-MD5</mechanism><mech anism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism><mechanism>CRAM-MD5</mech anism></mechanisms></stream:features>

# the client ignores the starttls

SENT: <auth mechanism="DIGEST-MD5" xmlns="urn:ietf:params:xml:ns:xmpp-sasl" />

# the server authenticates the user

RECV: <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">cmVhbG09Im51bWVybzUiLG5vbmNlPSJvVGl5Ri tadFhOcHhBdU03TjhHeTB0SVFMYy9TcUZjOHc3MFM3VlZ0Iixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLT gsYWxnb3JpdGhtPW1kNS1zZXNz</challenge>

SENT: <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">dXNlcm5hbWU9ImFkbWluIixyZWFsbT0ibnVtZX JvNSIsbm9uY2U9Im9UaXlGK1p0WE5weEF1TTdOOEd5MHRJUUxjL1NxRmM4dzcwUzdWVnQiLGNub25jZT 0iMzgzNDMzM2E2MTY0NmQ2OTZlM2E2MTY0NmQ2OTZlIixuYz0wMDAwMDAwMSxxb3A9YXV0aCxkaWdlc3 QtdXJpPSJ4bXBwL251bWVybzUiLHJlc3BvbnNlPTAxYTRlN2QzMWZhMDkzMjgxOTZlYjE1Y2ZhYjQwYm QzLGNoYXJzZXQ9dXRmLTg=</response>

RECV: <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl">cnNwYXV0aD0xM2I1ZmRhN2MwYWVlMDYxNDI5ZT g4ZjdmNzQ1ZWRiNQ==</success>

SENT: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" id="190bb394" xmlns="jabber:client" to="numero5" version="1.0">

Is there a way to force the server to accept only encrypted connections?

Thanks!

Security question: "starttls required" ignored while authenticating

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112