Hi,
> OK we discussed this with Emeric in the last few days and came up with a > solution closer from yours than from mine. What made me accept to change > my mind is to realize that many users don't see warnings at all. Probably > that the new shitty service managers which replace init are responsible > for this... > > So in practice : > - verify now defaults to "required" when connecting to a server > > - verify without a CA file emits an error and quits explaining what is > missing. > > - a global option "ssl-server-verify" can change the default from > "required" to "none" for deployments where this mode is not desired > at all (that's what we're facing when placing an appliance at a > customers' in front of existing servers in practice, they trust their > LAN and don't want to make things more complex for no perceived value). > > - a command-line option "-dV" is equivalent to "ssl-server-verify none" to > ease testing of configurations during support or development. > > So as of now my development configs don't work anymore unless I force -dV. > > I think this is reasonable this way and am expecting some breakage reports > in the upcoming days on the list :-) But the message is clear enough about > the way to fix this, so it was better to do it before releasing 1.5. Great. I'm confident this was the right thing to do and -dV and "ssl-server- verify none" provides good enough alternatives to the default behavior. Regards, Lukas
