[BUG] Default TLS Settings Are Too Strict #690
Description
Describe the bug
Clients connecting on default domain require client TLS certs, which we want to be optional.
Example
The tls.cfg defaults should be like this instead:
#=======================================================
# This is the default server domain profile.
# Settings in this domain will be used for all incoming
# connections that do not match any other server
# domain in this configuration file.
#
# We do not enable anything lower than TLSv1.2+
# Clients connecting to this server are not required to
# present a certificate, but if they do it is validated.
#=======================================================
[server:default]
method = TLSv1.2+
verify_client = optional_no_ca
...
#=======================================================
# This is the default client domain profile.
# Settings in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# Any other server we connect to must present a certificate
# that will be validated against the CA list.
#=======================================================
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
...