Hi Willy,
> Oh crap, you're right! In fact we put "verify", "ca-file" and "crl-file" > on the server side in 1.5-dev13 while SSL alone was in 1.5-dev12. And of > course the doc was not updated. That explains a lot of things! Oh, great. I see you already updated the docs. What I'm asking myself: is it a good idea to default to "verify none", instead of "verify required" on the backend? Incomplete configurations will be vulnerable to MITM. Usually applications default to the secure behavior with the possibility to connect without server certificate verification (this way, they are forcing the user to at least think about certificate validation if its not OK). Otherwise users may simplificate with the its-ssl-so-its-secure thinking. If we want to change the default-behavior, I would rather do it know - short and sweet - than when we are more close to a stable release. Best regards, Lukas
