OF-2632: Do not offer StartTLS when the identity store is empty

When the identity store does not contain any certificates, inbound TLS will never be able to succeed. In such cases, lets not advertise the StartTLS feature.

xmppserver/src/main/java/org/jivesoftware/openfire/session/LocalClientSession.java

@@ -45,6 +45,7 @@
 import org.xmpp.packet.StreamError;
 
 import java.net.UnknownHostException;
+import java.security.KeyStoreException;
 import java.util.*;
 
 /**
@@ -274,12 +275,16 @@ public static LocalClientSession createSession(String serverName, XmlPullParser
 
         sb = new StringBuilder(490);
         sb.append("<stream:features>");
-        if (connection.getConfiguration().getTlsPolicy() != Connection.TLSPolicy.disabled) {
-            sb.append("<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\">");
-            if (connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.required) {
-                sb.append("<required/>");
+        try {
+            if (connection.getConfiguration().getTlsPolicy() != Connection.TLSPolicy.disabled && !connection.getConfiguration().getIdentityStore().getAllCertificates().isEmpty()) {
+                sb.append("<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\">");
+                if (connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.required) {
+                    sb.append("<required/>");
+                }
+                sb.append("</starttls>");
             }
-            sb.append("</starttls>");
+        } catch (KeyStoreException e) {
+            Log.warn("Unable to access the identity store for client connections. StartTLS is not being offered as a feature for this session.", e);
         }
         // Include available SASL Mechanisms
         sb.append(SASLAuthentication.getSASLMechanisms(session));

xmppserver/src/main/java/org/jivesoftware/openfire/session/LocalConnectionMultiplexerSession.java

@@ -141,7 +141,7 @@ public static LocalConnectionMultiplexerSession createSession(String serverName,
 
             sb = new StringBuilder(490);
             sb.append("<stream:features>");
-            if (connection.getConfiguration().getTlsPolicy() != Connection.TLSPolicy.disabled) {
+            if (connection.getConfiguration().getTlsPolicy() != Connection.TLSPolicy.disabled && !connection.getConfiguration().getIdentityStore().getAllCertificates().isEmpty()) {
                 sb.append("<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\">");
                 if (connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.required) {
                     sb.append("<required/>");

xmppserver/src/main/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java

@@ -181,7 +181,10 @@ public static LocalIncomingServerSession createSession(String serverName, XmlPul
 
                 sb.append("<stream:features>");
 
-                if (!directTLS && (connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.required || connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.optional)) {
+                if (!directTLS
+                    && (connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.required || connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.optional)
+                    && !connection.getConfiguration().getIdentityStore().getAllCertificates().isEmpty()
+                ) {
                     sb.append("<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\">");
                     if (!ServerDialback.isEnabled()) {
                         Log.debug("Server dialback is disabled so TLS is required");