|
Alex,
I'm inclined to stick with the current behavior, namely that we make it a little difficult to turn off certificate validation. Given that the alternative leaves users open to man in the middle attacks, I don't think the convenience is worth it for the loss of security.
That said, the fact that the default setup isn't functional is also somewhat an artifact of our use of openssl. The lack of standardization on where to find root certificates, which we could remedy with a configure option, means that there's not much we can do if you don't give us a cert. I don't really plan on changing this for linux, since I think it's a little awkward to use certs generally distributed for web browsing for application programming, but we may have more of a story for windows and os x. Those systems offer certificate authorities that may plausibly be filled with certs applicable to this kind of development. So you may find defaults more to your likely if/when we've had a chance to add native TLS for windows and os x.
For now, I'm going to close this out as wontfix, because I can't agree to make weak cert validation the default and I don't find the current error reporting for failure to validate particularly unclear:
# after switching example-client to use ?ssl=true
|
Cursor Failure: Failed to handshake and validate TLS certificate.
|
If you're getting an error that's less helpful than that out of another code path, feel free to open a new ticket to make that error less generic.
Regards,
Jason
|