Index: configure
==================================================================
--- configure
+++ configure
@@ -1,8 +1,8 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.72 for tls 1.8.0.
+# Generated by GNU Autoconf 2.72 for tls 2.0b1.
 #
 #
 # Copyright (C) 1992-1996, 1998-2017, 2020-2023 Free Software Foundation,
 # Inc.
 #
@@ -599,12 +599,12 @@
 MAKEFLAGS=
 
 # Identity of this package.
 PACKAGE_NAME='tls'
 PACKAGE_TARNAME='tls'
-PACKAGE_VERSION='1.8.0'
-PACKAGE_STRING='tls 1.8.0'
+PACKAGE_VERSION='2.0b1'
+PACKAGE_STRING='tls 2.0b1'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
 # Factoring default headers for most tests.
 ac_includes_default="\
@@ -1340,11 +1340,11 @@
 #
 if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-'configure' configures tls 1.8.0 to adapt to many kinds of systems.
+'configure' configures tls 2.0b1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
 To assign environment variables (e.g., CC, CFLAGS...), specify them as
 VAR=VALUE.  See below for descriptions of some of the useful variables.
@@ -1402,11 +1402,11 @@
 _ACEOF
 fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of tls 1.8.0:";;
+     short | recursive ) echo "Configuration of tls 2.0b1:";;
    esac
   cat <<\_ACEOF
 
 Optional Features:
   --disable-option-checking  ignore unrecognized --enable/--with options
@@ -1528,11 +1528,11 @@
 fi
 
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-tls configure 1.8.0
+tls configure 2.0b1
 generated by GNU Autoconf 2.72
 
 Copyright (C) 2023 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
@@ -1835,11 +1835,11 @@
 
 cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by tls $as_me 1.8.0, which was
+It was created by tls $as_me 2.0b1, which was
 generated by GNU Autoconf 2.72.  Invocation command line was
 
   $ $0$ac_configure_args_raw
 
 _ACEOF
@@ -10291,11 +10291,11 @@
 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # Save the log message, to keep $0 and so on meaningful, and to
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by tls $as_me 1.8.0, which was
+This file was extended by tls $as_me 2.0b1, which was
 generated by GNU Autoconf 2.72.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
   CONFIG_LINKS    = $CONFIG_LINKS
@@ -10346,11 +10346,11 @@
 ac_cs_config=`printf "%s\n" "$ac_configure_args" | sed "$ac_safe_unquote"`
 ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\''/g"`
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-tls config.status 1.8.0
+tls config.status 2.0b1
 configured by $0, generated by GNU Autoconf 2.72,
   with options \\"\$ac_cs_config\\"
 
 Copyright (C) 2023 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation

Index: configure.ac
==================================================================
--- configure.ac
+++ configure.ac
@@ -14,11 +14,11 @@
 # so you can encode the package version directly into the source files.
 # This will also define a special symbol for Windows (BUILD_<PACKAGE_NAME>
 # so that we create the export library with the dll.
 #-----------------------------------------------------------------------
 
-AC_INIT([tls],[1.8.0])
+AC_INIT([tls],[2.0b1])
 
 #--------------------------------------------------------------------
 # Call TEA_INIT as the first TEA_ macro to set up initial vars.
 # This will define a ${TEA_PLATFORM} variable == "unix" or "windows"
 # as well as PKG_LIB_FILE and PKG_STUB_LIB_FILE.

Index: doc/tls.html
==================================================================
--- doc/tls.html
+++ doc/tls.html
@@ -98,11 +98,11 @@
 <!-- Copyright &amp;copy; 1999 Matt Newman   -- Copyright &amp;copy; 2004 Starfish Systems   -- Copyright &amp;copy; 2024 Brian O'Hagan
    -->
 <!-- tls.n
    -->
 <body><div class="doctools">
-<h1 class="doctools_title">tls(n) 1.8 tls &quot;Tcl TLS extension&quot;</h1>
+<h1 class="doctools_title">tls(n) 2.0b1 tls &quot;Tcl TLS extension&quot;</h1>
 <div id="name" class="doctools_section"><h2><a name="name">Name</a></h2>
 <p>tls - binding to the OpenSSL library for encrypted socket and I/O channel communications</p>
 </div>
 <div id="toc" class="doctools_section"><h2><a name="toc">Table Of Contents</a></h2>
 <ul class="doctools_toc">
@@ -135,11 +135,11 @@
 </div>
 <div id="synopsis" class="doctools_section"><h2><a name="synopsis">Synopsis</a></h2>
 <div class="doctools_synopsis">
 <ul class="doctools_requirements">
 <li>package require <b class="pkgname">Tcl 8.5-</b></li>
-<li>package require <b class="pkgname">tls 1.8</b></li>
+<li>package require <b class="pkgname">tls 2.0b1</b></li>
 </ul>
 <ul class="doctools_syntax">
 <li><a href="#1"><b class="cmd">tls::init</b> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span></a></li>
 <li><a href="#2"><b class="cmd">tls::socket</b> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span> <i class="arg">host</i> <i class="arg">port</i></a></li>
 <li><a href="#3"><b class="cmd">tls::socket</b> <b class="option">-server</b> <i class="arg">command</i> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span> <i class="arg">port</i></a></li>
@@ -181,11 +181,13 @@
 command options with one additional option. It returns the channel handle id
 for the new socket.</p>
 <dl class="doctools_options">
 <dt><b class="option">-autoservername</b> <i class="arg">bool</i></dt>
 <dd><p>If <b class="const">true</b>, automatically set the <b class="option">-servername</b> argument to the
-<em>host</em> argument. Default is <b class="const">false</b>.</p></dd>
+<em>host</em> argument. Prior to TclTLS 2.0, the default is <b class="const">false</b>.
+Starting in TclTLS 2.0, the default is <b class="const">true</b> unless <b class="option">-servername</b>
+is also specified.</p></dd>
 </dl></dd>
 <dt><a name="3"><b class="cmd">tls::socket</b> <b class="option">-server</b> <i class="arg">command</i> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span> <i class="arg">port</i></a></dt>
 <dd><p>Same as previous, but instead creates a server socket for clients to connect to
 just like the Tcl <b class="syscmd">socket -server</b> command. It returns the channel
 handle id for the new socket.</p></dd>
@@ -257,19 +259,21 @@
 <dt><b class="option">-post_handshake</b> <i class="arg">bool</i></dt>
 <dd><p>Allow post-handshake session ticket updates.</p></dd>
 <dt><b class="option">-request</b> <i class="arg">bool</i></dt>
 <dd><p>Request a certificate from the peer during the SSL handshake. This is needed
 to do Certificate Validation. Starting in TclTLS 1.8, the default is
-<b class="const">true</b>.
+<b class="const">true</b>. Starting in TclTLS 2.0, If set to <b class="const">false</b> and
+<b class="option">-require</b> is <b class="const">true</b>, then this will be overridden to <b class="const">true</b>.
 See <span class="sectref"><a href="#section3">Certificate Validation</a></span> for more details.</p></dd>
 <dt><b class="option">-require</b> <i class="arg">bool</i></dt>
 <dd><p>Require a valid certificate from the peer during the SSL handshake. If this is
 set to true, then <b class="option">-request</b> must also be set to true and a either
 <b class="option">-cadir</b>, <b class="option">-cafile</b>, <b class="option">-castore</b>, or a platform default
 must be provided in order to validate against. The default in TclTLS 1.8 and
 earlier versions is <b class="const">false</b> since not all platforms have certificates to
-validate against in a form compatible with OpenSSL.
+validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0,
+the default is <b class="const">true</b>.
 See <span class="sectref"><a href="#section3">Certificate Validation</a></span> for more details.</p></dd>
 <dt><b class="option">-security_level</b> <i class="arg">integer</i></dt>
 <dd><p>Specifies the security level (value from 0 to 5). The security level affects
 the allowed cipher suite encryption algorithms, supported ECC curves,
 supported signature algorithms, DH parameter sizes, certificate key sizes
@@ -278,13 +282,14 @@
 only accept cipher suites that provide forward secrecy.</p></dd>
 <dt><b class="option">-server</b> <i class="arg">bool</i></dt>
 <dd><p>Specifies whether to act as a server and respond with a server handshake when a
 client connects and provides a client handshake. The default is <b class="const">false</b>.</p></dd>
 <dt><b class="option">-servername</b> <i class="arg">hostname</i></dt>
-<dd><p>Specify the peer's hostname. This is used to set the TLS Server Name
-Indication (SNI) extension. Set this to the expected servername in the
-server's certificate or one of the Subject Alternate Names (SAN).</p></dd>
+<dd><p>Specify the peer's hostname. This is used to set the TLS Server Name Indication
+(SNI) extension. Set this to the expected servername in the server's certificate
+or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will
+default to the host for the <b class="cmd">tls::socket</b> command.</p></dd>
 <dt><b class="option">-session_id</b> <i class="arg">binary_string</i></dt>
 <dd><p>Specifies the session id to resume a session. Not supported yet.</p></dd>
 <dt><b class="option">-ssl2</b> <i class="arg">bool</i></dt>
 <dd><p>Enable use of SSL v2. The default is <b class="const">false</b>. Note: Recent versions of
 OpenSSL no longer support SSLv2, so this may not have any effect. See the
@@ -548,28 +553,32 @@
 This store only supports root certificate stores. See
 <span class="sectref"><a href="#section3">Certificate Validation</a></span> for more details.</p></dd>
 <dt><b class="option">-request</b> <i class="arg">bool</i></dt>
 <dd><p>Request a certificate from the peer during the SSL handshake. This is needed
 to do Certificate Validation. Starting in TclTLS 1.8, the default is
-<b class="const">true</b>. In addition, the client can manually inspect and accept or reject
+<b class="const">true</b>. Starting in TclTLS 2.0, If set to <b class="const">false</b> and
+<b class="option">-require</b> is <b class="const">true</b>, then this will be overridden to <b class="const">true</b>.
+In addition, the client can manually inspect and accept or reject
 each certificate using the <i class="arg">-validatecommand</i> option.</p></dd>
 <dt><b class="option">-require</b> <i class="arg">bool</i></dt>
 <dd><p>Require a valid certificate from the peer during the SSL handshake. If this is
 set to true, then <b class="option">-request</b> must also be set to true and a either
 <b class="option">-cadir</b>, <b class="option">-cafile</b>, <b class="option">-castore</b>, or a platform default
 must be provided in order to validate against. The default in TclTLS 1.8 and
 earlier versions is <b class="const">false</b> since not all platforms have certificates to
-validate against in a form compatible with OpenSSL.</p></dd>
+validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0,
+the default is <b class="const">true</b>.</p></dd>
 </dl>
 </div>
 <div id="subsection3" class="doctools_subsection"><h3><a name="subsection3">When are command line options needed?</a></h3>
 <p>In TclTLS 1.8 and earlier versions, certificate validation is
 <em>NOT</em> enabled by default. This limitation is due to the lack of a common
 cross platform database of Certificate Authority (CA) provided certificates to
 validate against. Many Linux systems natively support OpenSSL and thus have
 these certificates installed as part of the OS, but MacOS and MS Windows do not.
-In order to use the <b class="option">-require</b> option, one of the following
+Staring in TclTLS 2.0, this has been changed to require certificate validation
+by default. In order to use the <b class="option">-require</b> option, one of the following
 must be true:</p>
 <ul class="doctools_itemized">
 <li><p>On Linux and Unix systems with OpenSSL already installed or if the CA
 certificates are available in PEM format, and if they are stored in the
 standard locations, or if the <b class="variable">SSL_CERT_DIR</b> or <b class="variable">SSL_CERT_FILE</b>

Index: doc/tls.man
==================================================================
--- doc/tls.man
+++ doc/tls.man
@@ -1,21 +1,21 @@
 [comment {-*- tcl -*- doctools manpage}]
 [comment {To convert this to another documentation format use the dtplite
           script from tcllib: dtplite -o tls.n nroff tls.man
                               dtplite -o tls.html html tls.man
 }]
-[manpage_begin tls n 1.8]
+[manpage_begin tls n 2.0b1]
 [category tls]
 [copyright {1999 Matt Newman}]
 [copyright {2004 Starfish Systems}]
 [copyright {2024 Brian O'Hagan}]
 [keywords tls I/O "IP Address" OpenSSL SSL TCP TLS "asynchronous I/O" bind certificate channel connection "domain name" host "https" "network address" network socket TclTLS]
 [moddesc {Tcl TLS extension}]
 [see_also http socket [uri https://www.openssl.org/ OpenSSL]]
 [titledesc {binding to the OpenSSL library for encrypted socket and I/O channel communications}]
 [require Tcl 8.5-]
-[require tls 1.8]
+[require tls 2.0b1]
 [description]
 
 This extension provides TCL script access to secure socket communications
 using the Transport Layer Security (TLS) protocol. It provides a generic
 binding to [uri "https://www.openssl.org/" OpenSSL], utilizing the
@@ -50,11 +50,13 @@
 
 [list_begin options]
 
 [opt_def -autoservername [arg bool]]
 If [const true], automatically set the [option -servername] argument to the
-[emph host] argument. Default is [const false].
+[emph host] argument. Prior to TclTLS 2.0, the default is [const false].
+Starting in TclTLS 2.0, the default is [const true] unless [option -servername]
+is also specified.
 
 [list_end]
 
 [call [cmd tls::socket] [option -server] [arg command] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]] [arg port]]
 
@@ -148,20 +150,22 @@
 Allow post-handshake session ticket updates.
 
 [opt_def -request [arg bool]]
 Request a certificate from the peer during the SSL handshake. This is needed
 to do Certificate Validation. Starting in TclTLS 1.8, the default is
-[const true].
+[const true]. Starting in TclTLS 2.0, If set to [const false] and
+[option -require] is [const true], then this will be overridden to [const true].
 See [sectref "Certificate Validation"] for more details.
 
 [opt_def -require [arg bool]]
 Require a valid certificate from the peer during the SSL handshake. If this is
 set to true, then [option -request] must also be set to true and a either
 [option -cadir], [option -cafile], [option -castore], or a platform default
 must be provided in order to validate against. The default in TclTLS 1.8 and
 earlier versions is [const false] since not all platforms have certificates to
-validate against in a form compatible with OpenSSL.
+validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0,
+the default is [const true].
 See [sectref "Certificate Validation"] for more details.
 
 [opt_def -security_level [arg integer]]
 Specifies the security level (value from 0 to 5). The security level affects
 the allowed cipher suite encryption algorithms, supported ECC curves,
@@ -173,13 +177,14 @@
 [opt_def -server [arg bool]]
 Specifies whether to act as a server and respond with a server handshake when a
 client connects and provides a client handshake. The default is [const false].
 
 [opt_def -servername [arg hostname]]
-Specify the peer's hostname. This is used to set the TLS Server Name
-Indication (SNI) extension. Set this to the expected servername in the
-server's certificate or one of the Subject Alternate Names (SAN).
+Specify the peer's hostname. This is used to set the TLS Server Name Indication
+(SNI) extension. Set this to the expected servername in the server's certificate
+or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will
+default to the host for the [cmd tls::socket] command.
 
 [opt_def -session_id [arg binary_string]]
 Specifies the session id to resume a session. Not supported yet.
 
 [opt_def -ssl2 [arg bool]]
@@ -564,20 +569,23 @@
 [sectref "Certificate Validation"] for more details.
 
 [opt_def -request [arg bool]]
 Request a certificate from the peer during the SSL handshake. This is needed
 to do Certificate Validation. Starting in TclTLS 1.8, the default is
-[const true]. In addition, the client can manually inspect and accept or reject
+[const true]. Starting in TclTLS 2.0, If set to [const false] and
+[option -require] is [const true], then this will be overridden to [const true].
+In addition, the client can manually inspect and accept or reject
 each certificate using the [arg -validatecommand] option.
 
 [opt_def -require [arg bool]]
 Require a valid certificate from the peer during the SSL handshake. If this is
 set to true, then [option -request] must also be set to true and a either
 [option -cadir], [option -cafile], [option -castore], or a platform default
 must be provided in order to validate against. The default in TclTLS 1.8 and
 earlier versions is [const false] since not all platforms have certificates to
-validate against in a form compatible with OpenSSL.
+validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0,
+the default is [const true].
 
 [list_end]
 
 [subsection "When are command line options needed?"]
 
@@ -584,11 +592,12 @@
 In TclTLS 1.8 and earlier versions, certificate validation is
 [emph NOT] enabled by default. This limitation is due to the lack of a common
 cross platform database of Certificate Authority (CA) provided certificates to
 validate against. Many Linux systems natively support OpenSSL and thus have
 these certificates installed as part of the OS, but MacOS and MS Windows do not.
-In order to use the [option -require] option, one of the following
+Staring in TclTLS 2.0, this has been changed to require certificate validation
+by default. In order to use the [option -require] option, one of the following
 must be true:
 
 [list_begin itemized]
 
 [item]

Index: doc/tls.n
==================================================================
--- doc/tls.n
+++ doc/tls.n
@@ -2,11 +2,11 @@
 '\" Generated from file 'tls\&.man' by tcllib/doctools with format 'nroff'
 '\" Copyright (c) 1999 Matt Newman
 '\" Copyright (c) 2004 Starfish Systems
 '\" Copyright (c) 2024 Brian O'Hagan
 '\"
-.TH "tls" n 1\&.8 tls "Tcl TLS extension"
+.TH "tls" n 2\&.0b1 tls "Tcl TLS extension"
 .\" The -*- nroff -*- definitions below are for supplemental macros used
 .\" in Tcl/Tk manual entries.
 .\"
 .\" .AP type name in/out ?indent?
 .\"	Start paragraph describing an argument to a library procedure.
@@ -276,11 +276,11 @@
 .SH NAME
 tls \- binding to the OpenSSL library for encrypted socket and I/O channel communications
 .SH SYNOPSIS
 package require \fBTcl 8\&.5-\fR
 .sp
-package require \fBtls 1\&.8\fR
+package require \fBtls 2\&.0b1\fR
 .sp
 \fBtls::init\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR?
 .sp
 \fBtls::socket\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIhost\fR \fIport\fR
 .sp
@@ -331,11 +331,13 @@
 for the new socket\&.
 .RS
 .TP
 \fB-autoservername\fR \fIbool\fR
 If \fBtrue\fR, automatically set the \fB-servername\fR argument to the
-\fIhost\fR argument\&. Default is \fBfalse\fR\&.
+\fIhost\fR argument\&. Prior to TclTLS 2\&.0, the default is \fBfalse\fR\&.
+Starting in TclTLS 2\&.0, the default is \fBtrue\fR unless \fB-servername\fR
+is also specified\&.
 .RE
 .TP
 \fBtls::socket\fR \fB-server\fR \fIcommand\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIport\fR
 Same as previous, but instead creates a server socket for clients to connect to
 just like the Tcl \fBsocket -server\fR command\&. It returns the channel
@@ -425,20 +427,22 @@
 Allow post-handshake session ticket updates\&.
 .TP
 \fB-request\fR \fIbool\fR
 Request a certificate from the peer during the SSL handshake\&. This is needed
 to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is
-\fBtrue\fR\&.
+\fBtrue\fR\&. Starting in TclTLS 2\&.0, If set to \fBfalse\fR and
+\fB-require\fR is \fBtrue\fR, then this will be overridden to \fBtrue\fR\&.
 See \fBCertificate Validation\fR for more details\&.
 .TP
 \fB-require\fR \fIbool\fR
 Require a valid certificate from the peer during the SSL handshake\&. If this is
 set to true, then \fB-request\fR must also be set to true and a either
 \fB-cadir\fR, \fB-cafile\fR, \fB-castore\fR, or a platform default
 must be provided in order to validate against\&. The default in TclTLS 1\&.8 and
 earlier versions is \fBfalse\fR since not all platforms have certificates to
-validate against in a form compatible with OpenSSL\&.
+validate against in a form compatible with OpenSSL\&. Starting in TclTLS 2\&.0,
+the default is \fBtrue\fR\&.
 See \fBCertificate Validation\fR for more details\&.
 .TP
 \fB-security_level\fR \fIinteger\fR
 Specifies the security level (value from 0 to 5)\&. The security level affects
 the allowed cipher suite encryption algorithms, supported ECC curves,
@@ -450,13 +454,14 @@
 \fB-server\fR \fIbool\fR
 Specifies whether to act as a server and respond with a server handshake when a
 client connects and provides a client handshake\&. The default is \fBfalse\fR\&.
 .TP
 \fB-servername\fR \fIhostname\fR
-Specify the peer's hostname\&. This is used to set the TLS Server Name
-Indication (SNI) extension\&. Set this to the expected servername in the
-server's certificate or one of the Subject Alternate Names (SAN)\&.
+Specify the peer's hostname\&. This is used to set the TLS Server Name Indication
+(SNI) extension\&. Set this to the expected servername in the server's certificate
+or one of the Subject Alternate Names (SAN)\&. Starting in TclTLS 2\&.0, this will
+default to the host for the \fBtls::socket\fR command\&.
 .TP
 \fB-session_id\fR \fIbinary_string\fR
 Specifies the session id to resume a session\&. Not supported yet\&.
 .TP
 \fB-ssl2\fR \fIbool\fR
@@ -809,28 +814,32 @@
 \fBCertificate Validation\fR for more details\&.
 .TP
 \fB-request\fR \fIbool\fR
 Request a certificate from the peer during the SSL handshake\&. This is needed
 to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is
-\fBtrue\fR\&. In addition, the client can manually inspect and accept or reject
+\fBtrue\fR\&. Starting in TclTLS 2\&.0, If set to \fBfalse\fR and
+\fB-require\fR is \fBtrue\fR, then this will be overridden to \fBtrue\fR\&.
+In addition, the client can manually inspect and accept or reject
 each certificate using the \fI-validatecommand\fR option\&.
 .TP
 \fB-require\fR \fIbool\fR
 Require a valid certificate from the peer during the SSL handshake\&. If this is
 set to true, then \fB-request\fR must also be set to true and a either
 \fB-cadir\fR, \fB-cafile\fR, \fB-castore\fR, or a platform default
 must be provided in order to validate against\&. The default in TclTLS 1\&.8 and
 earlier versions is \fBfalse\fR since not all platforms have certificates to
-validate against in a form compatible with OpenSSL\&.
+validate against in a form compatible with OpenSSL\&. Starting in TclTLS 2\&.0,
+the default is \fBtrue\fR\&.
 .PP
 .SS "WHEN ARE COMMAND LINE OPTIONS NEEDED?"
 In TclTLS 1\&.8 and earlier versions, certificate validation is
 \fINOT\fR enabled by default\&. This limitation is due to the lack of a common
 cross platform database of Certificate Authority (CA) provided certificates to
 validate against\&. Many Linux systems natively support OpenSSL and thus have
 these certificates installed as part of the OS, but MacOS and MS Windows do not\&.
-In order to use the \fB-require\fR option, one of the following
+Staring in TclTLS 2\&.0, this has been changed to require certificate validation
+by default\&. In order to use the \fB-require\fR option, one of the following
 must be true:
 .IP \(bu
 On Linux and Unix systems with OpenSSL already installed or if the CA
 certificates are available in PEM format, and if they are stored in the
 standard locations, or if the \fBSSL_CERT_DIR\fR or \fBSSL_CERT_FILE\fR

Index: generic/tls.c
==================================================================
--- generic/tls.c
+++ generic/tls.c
@@ -1350,11 +1350,11 @@
     char *session_id		= NULL;
     Tcl_Obj *alpn		= NULL;
     int ssl2 = 0, ssl3 = 0;
     int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1;
     int proto = 0, level = -1;
-    int verify = 0, require = 0, request = 1, post_handshake = 0;
+    int verify = 0, require = 1, request = 1, post_handshake = 0;
 
     dprintf("Called");
 
 #if defined(NO_TLS1) || defined(OPENSSL_NO_TLS1)
     tls1 = 0;
@@ -1423,13 +1423,14 @@
 
 	OPTBAD("option", "-alpn, -cadir, -cafile, -castore, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand");
 
 	return TCL_ERROR;
     }
+    if (require)		request = 1;
     if (request)		verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
     if (request && require)	verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-    if (request && post_handshake)	verify |= SSL_VERIFY_POST_HANDSHAKE;
+    if (request && post_handshake) verify |= SSL_VERIFY_POST_HANDSHAKE;
     if (verify == 0)		verify = SSL_VERIFY_NONE;
 
     proto |= (ssl2 ? TLS_PROTO_SSL2 : 0);
     proto |= (ssl3 ? TLS_PROTO_SSL3 : 0);
     proto |= (tls1 ? TLS_PROTO_TLS1 : 0);

Index: generic/tlsInt.h
==================================================================
--- generic/tlsInt.h
+++ generic/tlsInt.h
@@ -35,11 +35,11 @@
 
 /* Windows needs to know which symbols to export. */
 #ifdef BUILD_tls
 #undef TCL_STORAGE_CLASS
 #define TCL_STORAGE_CLASS DLLEXPORT
-#endif /* BUILD_udp */
+#endif /* BUILD_tls */
 
 /* Handle TCL 8.6 CONST changes */
 #ifndef CONST86
 #   if TCL_MAJOR_VERSION > 8
 #	define CONST86 const

Index: library/tls.tcl
==================================================================
--- library/tls.tcl
+++ library/tls.tcl
@@ -263,10 +263,17 @@
 	    if {![info exists argsArray(-servername)]} {
 		set argsArray(-servername) $host
 		lappend iopts -servername $host
 	    }
 	}
+
+	# Use host as SNI server name without -autoservername and -servername args
+	if {![info exists argsArray(-autoservername)] && 
+		![info exists argsArray(-servername)]} {
+	    set argsArray(-servername) $host
+	    lappend iopts -servername $host
+	}
 
 	lappend sopts $host $port
     }
     #
     # Create TCP/IP socket