Hi > [snip] >yes, the rationale is explained in the commit log: > > Only enable SSL_VERIFY_PEER when the verify option is set on a listener. > > Always enabling SSL_VERIFY_PEER unnecessarily increases the number of > messages/bytes in the TLS handshake and increases our attack surface, > since we request and then process client certificates.
Well I guess I disagree with the "unnecessarily" there, but thanks for the info. If I got together the effort to build a patch that gives an option to restore the old behaviour would: (a) there be any chance of the patch being accepted (i.e. is it against policy to allow this option to be enabled) (b) you prefer it to be a global or per-connection option and what would you like the syntax to be? (No guarantees that I will be able to find the time but given it is functionality that I want I guess I should try and put in the effort) Regards JC -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
