Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache license. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance.

This release adds BOSH functionality for setting CORS headers and improves Pub-Sub support. There is also a new Atlassian Crowd provider! Various stability improvements were made as well.

What's New:


  • [OF-793] - Unsupported record version Unknown-47.115
  • [OF-1433] - OpenFire doesn't ACK the sent presence stanza to the user
  • [OF-1829] - NPE while destroying MUCService
  • [OF-1835] - SM resumption of a session that had an SM error causes NPE
  • [OF-1845] - NPE in S2S tester
  • [OF-1848] - S2S should not be established twice.
  • [OF-1853] - Upon joining a chatroom, a subject MUST be sent, even when empty
  • [OF-1856] - Anonymous users should not be able to send S2S subscription requests
  • [OF-1858] - MUC services are not added/removed from other cluster nodes
  • [OF-1860] - Admin Console - Plugin Upload vulnerable to ZipSlip
  • [OF-1873] - LDAP password disclosed on admin page
  • [OF-1874] - XSS on LDAP Server Settings page


  • [OF-1876] - Update MySQL Connector/J to version 8.0.17
  • [OF-1877] - Upgrade BouncyCastle from 1.61 to 1.63


  • [OF-1833] - Add more data to dns-check.jsp
  • [OF-1842] - Add information about other options to SSL Guide
  • [OF-1849] - S2S: Allow for StartTLS on DirectTLS port
  • [OF-1851] - Use more applicable error when anonymous user tries to obtain a roster
  • [OF-1852] - Bounce undeliverable message and presence stanzas
  • [OF-1854] - Allow trust and identitystores to be of different type
  • [OF-1857] - Improve logging around shutdown
  • [OF-1859] - LocalSession#sessionData should return previous values on update/remove