Openfire (in EncryptionFactory, potentially other places) uses a SSLContext that's TLSv1, hardcoded. This was probably a good, strong choice at the time it was written, but it's starting to become a mediocre choice now.
Openfire should not hardcode the setting - the default setting should be increased.
Interestingly, Java allows you to use a version named 'default' - which probably is going to be something that's deemed appropriate in a particular version of Java.
Openfire should allow the context version to be updated, and should probably use 'default' if no explicit configuration is given.