|09:31||• Ticket [9d503a1cac] Make -require 1 the default status still Open with 6 other changes artifact: 2b40823fb7 user: anonymous|
|09:16||• New ticket [9d503a1cac]. artifact: 7c4f431d5e user: anonymous|
|Title:||Make -require 1 the default|
|Last Modified:||2018-09-22 09:31:51|
|Version Found In:||1.7.16|
anonymous added on 2018-09-22 09:16:56:
Currently the -require flag defaults to 0/off, which means that TclTLS does not require the other party to present any kind of certificate to authenticate itself. This means that a completely unauthenticated key exchange is performed and so you could be talking to anybody. All the security properties of TLS are void in this mode, so turning it off should be a quite rare thing to do.
anonymous (claiming to be Neil Madden) added on 2018-09-22 09:31:51:
Turning this on by default might mean some work either shipping a default ca file or knowing where one is on most platforms. For instance, on my Mac with OpenSSL installed there is a default ca file in /etc/ssl/cert.pem (and a copy in /usr/local/etc/openssl/cert.pem).