View Ticket
Ticket Hash: 9d503a1cac442edf040bad487d795892ea19f2db
Title: Make -require 1 the default
Status: Open Type: Feature Request
Severity: Important Priority: Immediate
Subsystem: Resolution: Open
Last Modified: 2018-09-22 09:31:51
Version Found In: 1.7.16
User Comments:
anonymous added on 2018-09-22 09:16:56:

Currently the -require flag defaults to 0/off, which means that TclTLS does not require the other party to present any kind of certificate to authenticate itself. This means that a completely unauthenticated key exchange is performed and so you could be talking to anybody. All the security properties of TLS are void in this mode, so turning it off should be a quite rare thing to do.


anonymous (claiming to be Neil Madden) added on 2018-09-22 09:31:51:

Turning this on by default might mean some work either shipping a default ca file or knowing where one is on most platforms. For instance, on my Mac with OpenSSL installed there is a default ca file in /etc/ssl/cert.pem (and a copy in /usr/local/etc/openssl/cert.pem).