Improvement
- [OF-1378] - Rename "Legacy SSL" into "Direct TLS"
- [OF-1861] - Support for TLS 1.2 / 1.3
- [OF-2116] - Using range retrieval for LDAP groups
- [OF-2372] - Add support for proxied connections to Admin Console
- [OF-2377] - Reduce potential thread contention in XMLProperties
- [OF-2380] - Reduce thread contention in In-Memory pubsub persistence provider
- [OF-2385] - Shouldn't attempt to load shared groups when feature is unsupported.
- [OF-2403] - Improve Admin Console's memory usage reporting
- [OF-2408] - Address static analysis warnings in Crowd package
- [OF-2409] - Remove obsolete 'type' and 'language' attributes on HTML elements. Use HTML5.
- [OF-2413] - Include a stream error when closing a stream due to a problem.
- [OF-2440] - Increase default cache sizes
- [OF-2449] - Return error when a BOSH pause is requested that is higher than the maximum allowable pause.
- [OF-2455] - Explicitly promote websockets in admin console
- [OF-2494] - Upgrade HSQLDB to a more recent version.
- [OF-2513] - Do not require authzid on SASL EXTERNAL for S2S
- [OF-2514] - Differentiate between missing and empty initial SASL response
- [OF-2521] - S2S: Allow 'client auth' (required for SASL EXTERNAL) by default
- [OF-2523] - Use less predictable resource value
- [OF-2540] - Update SLF4j to 2.x
- [OF-2542] - Drop Java 8 support
- [OF-2547] - Update Mockito to 3.4.0 or later
- [OF-2556] - Support additional namespaces when parsing streams
- [OF-2557] - Show TLS config on each session/connection
- [OF-2560] - Improve Admin Console load time when RSS can't be reached
- [OF-2563] - Replace Session status constants with enums
- [OF-2564] - ServerSession's state should be set to 'authenticated' after authentication
- [OF-2565] - Openfire should close stream if client is sending a stanza in violation of RFC 6120, section 7.1
- [OF-2566] - Enable Websocket Stream Management resumption
- [OF-2581] - Invite people to improve translations in admin console
- [OF-2594] - When locating Openfire Home, consider 'tmp' file
- [OF-2608] - Do not wait for timeout when Dialback connection is closed
- [OF-2611] - Improve automated tests for S2S functionality
- [OF-2612] - Upgrade JUnit from 4 to 5
- [OF-2613] - Upgrade unit test database to version 34
- [OF-2615] - Use ConnectionManager interface where possible
- [OF-2616] - Bump Guava to latest release
- [OF-2623] - Migrate LoginLimitManager's properties to SystemProperties
- [OF-2624] - When providing Forms, use client's language
- [OF-2633] - When S2S TLS is required, announce that
- [OF-2638] - Update Installation guide to suggest it is not okay to open-admin-console-to-internet
- [OF-2639] - Server-to-Server SASL EXTERNAL should not require authz
- [OF-2642] - Remove (unused?) PEP restriction for XEP-0084
- [OF-2644] - Do not use getters in Session#toString
- [OF-2650] - Failed S2S due to peer's certificate being invalid should be less verbose
- [OF-2653] - hostname validation should not try to resolve host
- [OF-2654] - Implement toString() in various Netty classes
- [OF-2663] - Don't overly verbose log receiving IQ responses addressed to the server
- [OF-2669] - Update postgresql driver to 42.6.0
- [OF-2670] - Netty debug should log remote address when available
- [OF-2671] - S2S tester can stop waiting after a bounce
- [OF-2673] - Prevent double-closure of outbound s2s session
- [OF-2678] - Prefer XML data type usage over String manipulation
- [OF-2693] - Make XML declaration (and newline) configurable
- [OF-2697] - Set up multiple S2S connections concurrently
- [OF-2699] - PacketRejection should allow for PacketError to be defined
- [OF-2703] - Websocket 'open' should be a collapsed element
- [OF-2706] - Restructure session details page
- [OF-2707] - When closing session on admin console, kill its stream management
- [OF-2708] - Ensure that Groups operate on bare JIDs
- [OF-2713] - Update Bouncy Castle to 1.76
- [OF-2714] - Switch to Java 1.8+ variant of Bouncy Castle
- [OF-2724] - Resolve (non-breaking) errors while compiling plugin JSP pages against Openfire 4.8
- [OF-2731] - Update support for XEP-0280: Message Carbons
- [OF-2732] - Update bundled search plugin to 1.7.4
- [OF-2746] - Add Content Security Policy (CSP) headers to web endpoints
Story
- [OF-2527] - Include milliseconds in default log4j configuration
- [OF-2573] - Add Name to Client Version column in Session Summary
New Feature
- [OF-1574] - Add support for XEP-0352: Client State Indication
- [OF-2474] - Allow IP-based access control to the admin console
- [OF-2475] - Allow data to be persisted for future users.
- [OF-2476] - Add trunking/gateway support to Openfire
- [OF-2572] - Detect thread obtaining more than one database connection
- [OF-2579] - Add Ukrainian translation
- [OF-2646] - Allow property persistence to be skipped (for tests)
- [OF-2658] - Dynamically modify Netty pipeline
- [OF-2676] - Add support for XEP-0478: Stream Limits Advertisement
- [OF-2753] - Kill detached session when resumption is attempted at different cluster node
- [OF-2766] - Apply s2s permissions recursively
- [OF-2770] - Add pub/sub debug logging
Task
- [OF-1382] - Admin Console reuses `username` and `password` form fields, which fools browser auto-fill
- [OF-2395] - Remove code that was deprecated prior to 4.7.0
- [OF-2406] - Phase out calendarjs
- [OF-2407] - Phase out /js/tooltip/*
- [OF-2418] - Phase out Scriptaculous
- [OF-2419] - Remove unused pngfix.js library
- [OF-2420] - Phase out lightbox.js
- [OF-2510] - Create documentation for using Openfire with clustered databases
- [OF-2559] - Replace Apache MINA with Netty
- [OF-2610] - Update shipped CA truststore
- [OF-2647] - Remove 4.8 deprecation
- [OF-2687] - Update Jetty to 10.0.18
- [OF-2688] - Update Netty to 4.1.100
- [OF-2691] - Update org.json:json to 20231013
- [OF-2725] - Update dependency-check to 8.4.2
- [OF-2726] - Update dom4j to 2.1.4
- [OF-2727] - Update mysql-connector from 8.0.32 to 8.2.0
- [OF-2728] - Remove Rome
- [OF-2733] - Sync Openfire's truststore with Mozilla's shipped CAs
- [OF-2767] - Don't have separate database CI workflow
Sub-task
- [OF-2596] - Improve detection of path traversal
- [OF-2597] - Add config option for using wildcards in AuthCheckFilter
- [OF-2598] - Remove wildcard usage in AuthCheckFilter
- [OF-2599] - Avoid having setup-specific auth-excludes after install
- [OF-2600] - Upgrade Jetty
- [OF-2604] - Bind admin console to loopback interface by default
- [OF-2609] - Broken Tests - Expect NO_CONN, Get PLAIN_DIALB
Bug
- [OF-880] - Server MUST return for IQ requests to unknown user. (RFC 6120 10.5.3.1.)
- [OF-945] - Openfire returns Stanza error instead of Stream error when client tries to send stanzas over unauthenticated connections
- [OF-1183] - Roster request denial is not pushed back to requester
- [OF-1224] - No roster push after unsubscribe (probably only if presence subscription is not 'both")
- [OF-1389] - PubSub Admin Console - Unable to click Node ID
- [OF-1394] - PubSub Admin Console - Re-enabling service doesn't reload nodes
- [OF-1399] - PubSub Admin Console - 'Max number of items to persist' appears configurable when it's not
- [OF-1405] - S2S Connection Test - No validation on 'XMPP domain' field
- [OF-1406] - S2S Connection Test - Able to edit results fields
- [OF-1407] - S2S Connection Test - No indication on the page that anything is happening during search
- [OF-1785] - In-band registration fails with websockets
- [OF-1831] - TLS fails with "input record too big" exceptions
- [OF-1913] - Various S2S interop issues
- [OF-2242] - No possible to filter by Client Version on Sessions page
- [OF-2378] - (deprecated) XMLProperties.getName() throws ClassCastException
- [OF-2382] - When searching for shared groups by user, all groups are returned
- [OF-2383] - Group methods are only validated on the frontend, or not at all
- [OF-2391] - NPE during/directly after setup
- [OF-2399] - Migrated System Properties report that restart is needed
- [OF-2404] - Inbound presence 'subscribe' for preexisting contact MUST be auto-responded
- [OF-2411] - Openfire fails to start because of a deadlock in XmlProperties' readWriteLock
- [OF-2426] - Group cache can contain ghost entries
- [OF-2429] - Fix count in database reconnect attempts
- [OF-2435] - TLSv1.3 suffers from timing issue
- [OF-2443] - SASL PLAIN should use authorization mapping
- [OF-2492] - mvnw isn't executable
- [OF-2551] - Server-to-Server TLS policy changes cause breakage
- [OF-2552] - javax.el.MethodNotFoundException in offline-messages.jsp
- [OF-2555] - Openfire allows S2S TLS to continue when certificate fails to validate
- [OF-2567] - S2S with Direct TLS seems to be unstable
- [OF-2568] - Stream Management roll-over detection
- [OF-2580] - Make Portuguese locale selectable after setup
- [OF-2590] - S2S Outbound must validate remote identity against certificate
- [OF-2592] - Autosetup should not force the default database connection provider when using default auth provider
- [OF-2595] - CVE-2023-32315 Admin Console Auth Bypass
- [OF-2606] - Database errors keep getting logged when providing faulty db connection URL in setup
- [OF-2614] - openfire-plugin-assembly is inflexible on project structure
- [OF-2620] - Plugin-provided pages for the Admin Console should use Openfire assets for standard components
- [OF-2621] - Incorrect link on MUC Service admin console page
- [OF-2622] - Do not accept Dialback when disabled
- [OF-2626] - Dialback status race condition
- [OF-2627] - Deleting a group with a '+' character in its name fails
- [OF-2630] - SystemProperties are not encrypted on Admin Console
- [OF-2641] - Cannot establish S2S with conference subdomain
- [OF-2648] - S2S stanza parsing of errors fails
- [OF-2649] - CSI parsing error
- [OF-2652] - To many exceptions when remote server sends to much data
- [OF-2655] - Closing S2S session fails to close outbound
- [OF-2656] - TLS information missing for outbound S2S connections
- [OF-2657] - Stream parsing failure
- [OF-2659] - Remote (ejabberd) servers close stream with 'duplicate attribute' stream error
- [OF-2660] - Outbound DirectTLS S2S connections seem to stall
- [OF-2661] - Peer closing stream leads to timeout
- [OF-2662] - S2S prefix issue
- [OF-2664] - S2S failure with isode.com
- [OF-2665] - Cache state inconsistencies after Netty upgrade
- [OF-2668] - Cannot compile plugin with web assets against Openfire 4.8 following Jetty upgrade
- [OF-2672] - Netty Debug log incorrectly suggests class cast issue
- [OF-2674] - Closing a Netty channel must close the underlying connection
- [OF-2675] - HTTP ERROR 400 Invalid SNI on admin console after jetty upgrade for Openfire 4.8
- [OF-2677] - Failure to process all UTF-8 characters
- [OF-2680] - NullPointer in idle handler
- [OF-2681] - Failure to define Dialback XML prefix
- [OF-2682] - ConcurrentModificationException in Netty S2S
- [OF-2689] - DirectTLS client-to-server (5223) broken
- [OF-2690] - Incorrect namespace definitions on server dialback elements
- [OF-2692] - NullPointerException in S2S when ID attribute is missing
- [OF-2696] - Cannot resolve CAPS for MUC occupants
- [OF-2698] - Netty idle state detects mixes 'read' and 'write' idle events
- [OF-2700] - X-Forwarded-For header content not in audit log
- [OF-2704] - Closing websockets should send `close` element
- [OF-2705] - Route stanzas addressed to full JIDs of connected resource
- [OF-2711] - CSI delays don't then deliver stanzas
- [OF-2712] - Session accounting differs on alternate sides of the S2S conversation
- [OF-2715] - Websocket 'close' frame whould be sent when closing a connection
- [OF-2716] - Missing Copyright Notices
- [OF-2730] - Stop S2S under strict verification mode, when TLS fails.
- [OF-2734] - JspPropertyNotFoundException on Pubsub node detail page
- [OF-2735] - Certificate Details doesn't show store name
- [OF-2738] - Server-to-Server SNI issue / connecting to a host that serves multiple domains
- [OF-2740] - Incorrect determination of macOS JAVA_HOME when none is set
- [OF-2745] - MUC Occupants get kicked for being idle, after responding to idle check
- [OF-2750] - CSI-enabled client does not receive Jingle invitations
- [OF-2751] - Disable Stream Management when server closes stream with error
- [OF-2752] - Disable Stream Management when server closes stream
- [OF-2755] - NullPointerException in S2S when cluster node is switched off
- [OF-2756] - setup fails to properly detect JRE 21
- [OF-2757] - pub/sub notifications not sent to full JIDs on remote domains
- [OF-2761] - NullPointerException when MUC Service processes an IQ result
- [OF-2763] - HTTP requests for 'other' plugin files (eg: images) return 403
- [OF-2764] - Typo in i18n key 'cliked'
- [OF-2765] - Some mvn references aren't using mvnw
sha256sum
values for release artifacts
6c24dd3c221219594237cbfd94b237dd51e853665a898c2e2a4f67bc57df415c openfire-4.8.0-1.noarch.rpm
21609f9245cb3ea59ebaddd92aa2378daefb4c526f2b48f764bc61cba478f446 openfire_4.8.0_all.deb
fa337a050af5db86b3a0c05547b1c505f3dfe01f95264aecb046ad03e6e54007 openfire_4_8_0.dmg
daba71eec8eca9978e22add1198123c045218df95ae02c7d96567870a92a9c75 openfire_4_8_0.exe
e8b9dfb00e47477c9c6fd6cd4c5f3ac775c74ed9ded86c830f3b220a8cd8a15f openfire_4_8_0.tar.gz
f0469bb13e38264ae69cb55006a88fd0572dd5b3c41fe1021d1c778336242bcb openfire_4_8_0_x64.exe
4b940c4eefb7fcf3ae080983a671b6c5b7744ee95b12026f04b71e94f896f206 openfire_4_8_0.zip