I'm putting together an XMPP server for a project of mine, and I have rather strict encryption standards. Namely, I need the TLS protocol to only utilize AES-256 cipher suites and their equivalents. Basically, anything that doesn't require the JCE unlimited policy, I want excluded. Yes, I know that it's highly prohibitive on the client because they need to be able to use/install the JCE policy. I'm ok with that, and I'm not allowed to work around it.
As I understand, Openfire runs off of the base JRE. I've found how to install the JCE unlimited policy in the JRE, and further how to remove cipher suites from the java environment via jdk.tls.disabledAlgorithms in java.security. However, my testing shows that even when I set up an environment where the client and server have no shared supported suites, and encrypted connections are set to "required," a client can still connect and communicate. I'm specifically trying to avoid this behavior.
Furthermore, with the release of Openfire 4.0, and the ability to modify the list of enabled cipher suites directly, I notice that AES-256 ciphers are not on the supported list in the first place, even when the JCE unlimited policy is installed. Meaning, whether i remove unacceptable cipher suites in jdk.tls.disabledAlgorithms or directly in in Openfire, Openfire is not importing the AES-256 suites i need, regardless of the JCE policy.
Is there a way to add cipher suites to the Openfire list, so long as the cipher suites are supported by the underlying JRE/JCE?
