@wojtek Is hardened mode enabled? If so, then it may "require" that on the instance level and it would make impossible to disable that requirement on VHost level as instance settings are "more important" than vhost settings.

It doesn't seem like that: setting HardenedMode to relaxed (globally and in VHost) and setting tls-required to OFF still results in it being required:

<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='atlantiscity' id='e1eeae4c-3b24-473a-9030-1246e5a05f06' version='1.0' xml:lang='en'>

<stream:features>
<sm xmlns="urn:xmpp:sm:3"/>
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
<register xmlns="http://jabber.org/features/iq-register"/>
<ver xmlns="urn:xmpp:features:rosterver"/>
<sub xmlns="urn:xmpp:features:pre-approval"/>
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls">
<required/>
</starttls>
<compression xmlns="http://jabber.org/features/compress">
<method>zlib</method>
</compression>
</stream:features>

It seems that the only way to disable it is to use this configuration:

'vhost-tls-required' = false

You are right, I suppose that we decided in 8.0.0/8.1.0 to use only TLS encrypted connections by default so that works OK.

There was such discussion, but still there is an option in VHost which allows disabling it so it should be respected… or we should remove that option from VHost configuration. Though it seems better to have it configurable on per VHost basis instead of leaving only global option to completely disable TLS.

Global option will NOT disable TLS but will allow you to disable TLS on per vhost basis.

This seems quite counter-intuitive... it the global option merely serves as "permission to disable it on per-vhost basis" then it should be named accordingly, though this should be handled by adequate HardenedMode level (only allow on relaxed for example).

I will not discuss whether the naming of property vhost-tls-required is correct or not. Initially, it was introduced to force encryption by setting it to true, then it's default value was switched to true and it needs to be set to false to disable this requirement.

I've modified VHostItem support for ad-hoc to make it impossible to change TLS required state on vhost level if the requirement mentioned above is enabled. At the same time, I've added a note (as a replacement for TLS required checkbox) stating that TLS requirement is enabled for installation and how it can be disabled. I think that this is a good approach as it explains everything for the end-user.

Note: vhost-tls-required is one of the settings which should be removed in the future. Right now they are placed in VHostItemDefaults and in the end this class should be removed and we should only use VHost named default as a source of a default configuration. Currently, that class has some leftovers required for moving config from the config file to the database.

Very good solution!