When enabled, certificates will be verified against Certificate Revocation Lists (CRL) and through Online Certificate Status Protocol (OCSP) to ensure they have not been revoked.

- Permit client-driven OCSP (has no effect unless revocation checking is also enabled) by adding property to java.security settings.
- Enable OCSP stapling by specifying jdk.tls.server.enableStatusRequestExtension=true Java system property.

With this default configuration:

- as a client: Openfire will behave in the same way as it did prior to this commit.
- as a server: Openfire will staple OCSP responses when presenting its certificate if the certificate is configured with an OCSP responder and Openfire receives a response from the listed responder, otherwise the certificate will be presented with no OCSP response (the default behaviour prior to this commit).

For further configuration options see: https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-527BAE97-3B78-4390-A479-623BD998C4EE

Prior to this change, if the TLS handshake failed (e.g. if certificate validation did not succeed), an error stanza would be returned to the TLS client with the misleading message "An error occurred in XMPP Decoder".

… not

If Openfire is configured to do revocation checking, but Java is configured to not support client-driven OCSP checking, we now inform the user.