TLS Client 'rejectUnauthorized' must default to true

[hueniverse]

No idea why server cert validation is off by default. This is a major security issue since the vast majority of developers are not aware of this and will leave it as-is. If you fail to check the server's certificate, you have zero protection against a long list of attacks.

Yes - changing the default is likely to break stuff. THAT'S A GOOD THING!

[benadida]

Agreed, this is a big no no. Security by default! Don't be like PHP :)

[benlaurie]

+1

[skenqbx]

+1

[coderbarncb]

+1

[tellnes]

+1

[bnoordhuis]

For review: https://github.com/bnoordhuis/node/compare/tls-reject-unauthorized

To be investigated: test/simple/test-https-pfx.js fails when you set rejectUnauthorized explicitly. The expected validation error changes from UNABLE_TO_GET_ISSUER_CERT to DEPTH_ZERO_SELF_SIGNED_CERT.

[koichik]

@bnoordhuis - The patch LGTM, but API docs (just default values)?

[bnoordhuis]

Addressed in 35607f3.

[hueniverse]

Fantastic! Thanks!