Philip Guenther wrote:
Next: the fact that you need tls_reqcert=never for TLS negotiation to succeed strongly suggests the problem is either a) the subject and subjectAltName of the cert don't match the hostname in the URL, OR b) the client doesn't have the self-signed CA cert at the root of the signing chain for the server's cert.
Those are both necessary to protect the server against Man-in-the-Middle attacks.
(It used to be that tls_reqcert=allow would disable check (b) and only perform check (a), or at least that was the case when using the OpenSSL crypto backend, but that behavior has apparently been removed from the version in git as of August. Given the vagaries of the error reporting of the underlying crypto libraries, this was a useful tool in tracking down which check was causing TLS failures. Oh well.)
Frankly I agree with you that the original behavior was better. As far as I recall, though i don't believe it was never documented anywhere, the main point to using ALLOW was to accept certs that were expired but otherwise correct. The current patch in git makes you totally defenseless against MITM attacks, and I can't see any reason why it would ever be correct to deploy this way.