OF-2773 QUIC support

.junie/memory/language.json

@@ -0,0 +1 @@
+[]

.junie/memory/memory.version

@@ -0,0 +1 @@
+3.0

Dockerfile

@@ -72,7 +72,24 @@ LABEL org.opencontainers.image.authors="dave@cridland.net,dan@caseley.me.uk"
 WORKDIR /usr/local/openfire
 HEALTHCHECK --interval=1m --timeout=10s --start-period=3m --retries=3  CMD bash -c "(echo > /dev/tcp/localhost/5222) 2>/dev/null || exit 1"
 
-EXPOSE 3478 3479 5005 5222 5223 5229 5262 5263 5275 5276 7070 7443 7777 9090 9091
+# Exposed ports:
+# 3478  - STUN (plain)  \  for Jingle (audio/video) via the
+# 3479  - STUN (TLS)    /  STUN / TURN Service plugin
+# 5005  - Java remote debugging (only useful in dev/debug builds)
+# 5222  - XMPP client connections (plain / STARTTLS)
+# 5223  - XMPP client connections (legacy SSL)
+# 5224  - XMPP client+server connections (QUIC); optionally WebTransport (HTTP/3)
+# 5229  - Flash cross-domain handler (legacy)
+# 5262  - XMPP component connections (plain / STARTTLS)
+# 5263  - XMPP component connections (legacy SSL)
+# 5275  - XMPP server-to-server connections (plain / STARTTLS)
+# 5276  - XMPP server-to-server connections (legacy SSL)
+# 7070  - HTTP (BOSH / WebSocket)
+# 7443  - HTTPS (BOSH / WebSocket)
+# 7777  - File transfer proxy
+# 9090  - Admin console (HTTP)
+# 9091  - Admin console (HTTPS)
+EXPOSE 3478 3479 5005 5222 5223 5224 5229 5262 5263 5275 5276 7070 7443 7777 9090 9091
 VOLUME ["${OPENFIRE_DATA_DIR}"]
 VOLUME ["${OPENFIRE_LOG_DIR}"]
 ENTRYPOINT [ "/sbin/entrypoint.sh" ]

i18n/src/main/resources/openfire_i18n.properties

@@ -39,8 +39,12 @@ tab.server.descr=Click to manage server settings
         sidebar.profile-settings.descr=Click to configure user and group profile settings
         sidebar.client-connections-settings=Client Connections
         sidebar.client-connections-settings.descr=Click to configure client connections settings
+        sidebar.quic-client-connections-settings=Client Connections (QUIC)
+        sidebar.quic-client-connections-settings.descr=Click to configure QUIC client connections settings
         sidebar.server2server-settings=Server to Server
         sidebar.server2server-settings.descr=Click to configure server to server settings
+        sidebar.quic-server2server-settings=Server to Server (QUIC)
+        sidebar.quic-server2server-settings.descr=Click to configure QUIC server-to-server (federation) settings
         sidebar.external-components-settings=External Components
         sidebar.external-components-settings.descr=Click to configure external component settings
         sidebar.connection-managers-settings=Connection Managers
@@ -1347,6 +1351,10 @@ system_property.xmpp.ratelimit.newconnections.logging.suppress=The minimum time
 system_property.xmpp.ratelimit.newconnections.s2s.enabled=Enables or disables rate limiting for new server-to-server (S2S) connections.
 system_property.xmpp.ratelimit.newconnections.s2s.max_burst=The maximum number of new server-to-server connection attempts that can be accepted in a short burst. Allows temporary bursts without violating the sustained rate.
 system_property.xmpp.ratelimit.newconnections.s2s.permits_per_second=The sustained rate of new server-to-server connection attempts allowed per second. Applies to all S2S (federation) connection types, which currently is just TCP.
+system_property.xmpp.quic.client.idle=How long, in seconds, before idle QUIC client sessions are dropped. Set to -1 to never drop idle sessions.
+system_property.xmpp.quic.client.max-streams=Maximum number of QUIC streams that can be associated with a client session.
+system_property.xmpp.quic.client.max-outbound-streams=Maximum number of QUIC streams that Openfire opens proactively for outbound stanza delivery.
+system_property.xmpp.quic.client.alpn=Comma-separated list of ALPN values accepted by the QUIC C2S listener. The default and recommended value is xmpp-client.
 system_property.plugins.upload.enabled=Defines if the admin console can be used to upload plugins.
 system_property.plugins.upload.content-type-check.enabled=Determines if the content-type of uploaded plugin files is verified.
 system_property.plugins.upload.content-type-check.expected-value=Defines the expected content-type of uploaded plugin files.
@@ -1845,6 +1853,13 @@ session.details.hide-extended=Show Less Details
 session.details.show-extended=Show More Details
 session.details.security=Security
 session.details.features=Features & Functionality
+session.details.quic.title=QUIC Connection
+session.details.quic.streams=Streams
+session.details.quic.peer-credits=Peer-allowed bidi streams
+session.details.quic.rtt=RTT (smoothed)
+session.details.quic.cwnd=Congestion window
+session.details.quic.packets=Packets
+session.details.quic.bytes=Bytes
 
 # Session row Page
 
@@ -2482,6 +2497,8 @@ ssl.certificates.store-management.combined-stores.title=Certificate Stores
 ssl.certificates.store-management.combined-stores.info=These stores are used for all encrypted communication. Three stores are provided\: one identity store, a trust store for server-based connections, and a trust store for client-based connections.
 ssl.certificates.store-management.socket-c2s-stores.title=XMPP Client Stores
 ssl.certificates.store-management.socket-c2s-stores.info=These stores are used for regular, TCP-based client-to-server XMPP communication. Two stores are provided\: one identity store and a trust store. Openfire ships with an empty trust store, as in typical environments, certificate-based authentication of clients is not required.
+ssl.certificates.store-management.quic-c2s-stores.title=XMPP Client Stores (QUIC)
+ssl.certificates.store-management.quic-c2s-stores.info=These stores are used for QUIC-based client-to-server XMPP communication. Two stores are provided\: one identity store and a trust store.
 ssl.certificates.store-management.socket-s2s-stores.title=Server Federation Stores
 ssl.certificates.store-management.socket-s2s-stores.info=These stores are used for server-to-server XMPP communication, which establishes server federation. Two stores are provided\: one identity store and a trust store. Openfire ships with a trust store filled with certificates of generally accepted certificate authorities.
 ssl.certificates.store-management.bosh-c2s-stores.title=Web binding (websocket and BOSH) Stores
@@ -2543,6 +2560,7 @@ ssl.certificates.truststore.ca-reply=Certificate Authority Reply:
 
 # Truststore Page
 ssl.certificates.truststore.c2s-title=Client Truststore
+ssl.certificates.truststore.quic-c2s-title=Client QUIC Truststore
 ssl.certificates.truststore.s2s-title=Server Truststore
 ssl.certificates.truststore.title=Openfire Trust Certificate Store
 ssl.certificates.truststore.info=Certificates in this list are used by Openfire to verify the identity of remote clients and servers when encrypted connections are being established. By default, Openfire ships with a number of certificates from commonly trusted Certificate Authorities.
@@ -3473,6 +3491,8 @@ ports.directtls.desc=Connections established on this port are established using
 ports.client_to_server=Client to Server
 ports.client_to_server.desc=The standard port for clients to connect to the server.
 ports.client_to_server.desc_old_ssl=The port used for clients to connect to the server using the Direct TLS method.
+ports.client_to_server_quic=Client to Server (QUIC)
+ports.client_to_server_quic.desc=The QUIC port used for clients to connect to the server.
 ports.server_to_server=Server to Server
 ports.server_to_server.desc=The port used for remote servers to connect to this server.
 ports.connection_manager=Connection Manager
@@ -3654,9 +3674,50 @@ client.connections.settings.ratelimit.max_burst=Maximum burst
 client.connections.settings.ratelimit.permits.invalid=Permits per second must be a positive whole number.
 client.connections.settings.ratelimit.max_burst.invalid=Maximum burst must be a positive whole number.
 
+# QUIC Client Connections Settings page
+quic.client.connections.settings.title=Client Connections Settings (QUIC)
+quic.client.connections.settings.confirm.updated=QUIC client connection settings have been updated successfully.
+quic.client.connections.settings.info=Use the form below to configure how XMPP clients connect to this server over QUIC.
+quic.client.connections.settings.boxtitle=QUIC Client Listener
+quic.client.connections.settings.label_enable=Enable QUIC client listener
+quic.client.connections.settings.label_idle=Idle timeout
+quic.client.connections.settings.label_maxstreams=Maximum streams per session (inbound, advertised to client)
+quic.client.connections.settings.label_maxoutboundstreams=Maximum server-initiated streams per session
+quic.client.connections.settings.label_alpn=ALPN identifier(s) (comma-separated)
+quic.client.connections.settings.label_qlogdir=qlog directory (leave empty to disable)
+quic.client.connections.settings.valid.port=Port must be between 1 and 65535.
+quic.client.connections.settings.valid.idle=Idle timeout must be -1 or a positive number of seconds.
+quic.client.connections.settings.valid.maxstreams=Maximum streams must be a positive whole number.
+quic.client.connections.settings.valid.maxoutboundstreams=Maximum server-initiated streams must be zero or a positive whole number.
+quic.client.connections.settings.valid.alpn=At least one ALPN identifier must be configured.
+quic.client.connections.settings.native.available=The Netty QUIC native library is available on this platform. QUIC connections can be accepted.
+quic.client.connections.settings.native.unavailable=The Netty QUIC native library is NOT available on this platform (supported platforms: linux-x86_64, linux-aarch_64, osx-x86_64, osx-aarch_64, windows-x86_64). QUIC connections cannot be accepted until the matching native JAR is added to the classpath.
+quic.client.connections.settings.label_webtransport=Enable WebTransport (HTTP/3) support
+quic.client.connections.settings.label_webtransport.info=When enabled, the QUIC listener also accepts HTTP/3 connections (ALPN \u201ch3\u201d). Browsers and WebTransport-capable clients can connect via an HTTP/3 CONNECT upgrade to /xmpp (XEP-0468). C2S XMPP, S2S XMPP, and WebTransport will share the same UDP port, distinguished by ALPN. Requires a server restart to take effect.
+
+# QUIC S2S (federation) connection settings
+quic.server.connections.settings.title=Server-to-Server Connections Settings (QUIC)
+quic.server.connections.settings.saved=QUIC S2S connection settings have been updated successfully.
+quic.server.connections.settings.info=Use the form below to configure QUIC-based server-to-server (federation) connections. QUIC provides TLS 1.3 transport security; no STARTTLS upgrade is required.
+quic.server.connections.settings.native.available=The Netty QUIC native library is available on this platform. QUIC S2S connections can be accepted and initiated.
+quic.server.connections.settings.native.unavailable=The Netty QUIC native library is NOT available on this platform (supported platforms: linux-x86_64, linux-aarch_64, osx-x86_64, osx-aarch_64, windows-x86_64). QUIC S2S connections cannot be used until the matching native JAR is added to the classpath.
+quic.server.connections.settings.inbound.boxtitle=Inbound QUIC S2S Listener
+quic.server.connections.settings.inbound.info=Configure the UDP port on which this server accepts incoming QUIC federation connections from remote XMPP servers.
+quic.server.connections.settings.label_enable=Enable inbound QUIC S2S listener
+quic.server.connections.settings.label_idle=Idle timeout
+quic.server.connections.settings.label_alpn=ALPN identifier(s) (comma-separated)
+quic.server.connections.settings.valid.port=Port must be between 1 and 65535.
+quic.server.connections.settings.valid.idle=Idle timeout must be -1 or a positive number of seconds.
+quic.server.connections.settings.valid.alpn=At least one ALPN identifier must be configured.
+quic.server.connections.settings.outbound.boxtitle=Outbound QUIC S2S
+quic.server.connections.settings.outbound.info=When enabled, Openfire will attempt to establish outbound federation connections over QUIC before falling back to TCP. Remote servers must advertise a <em>_xmpp-server._quic</em> SRV DNS record for QUIC to be used.
+quic.server.connections.settings.outbound.label_enable=Enable outbound QUIC S2S (via _xmpp-server._quic SRV)
+quic.server.connections.settings.outbound.srv_note=Note: if no _xmpp-server._quic SRV record is found for the remote domain, Openfire automatically falls back to the standard TCP-based S2S path. Enabling this option has no effect on domains that do not advertise QUIC support.
+
 # Connection type and mode
 connection-type.socket-s2s=server-to-server (federation)
 connection-type.socket-c2s=client-to-server
+connection-type.quic-c2s=client-to-server (QUIC)
 connection-type.bosh-c2s=Web binding (websocket & BOSH)
 connection-type.webadmin=admin console
 connection-type.component=external component