Proton C and its associated bindings do not have consistent default client side TLS configuration. Proton libraries will be changed on a per-language/binding basis so that all clients verify the server's certificate and identifying name by default, i.e. to use PN_SSL_VERIFY_PEER_NAME unless the application takes steps to change the desired level of authentication.
This default behaviour is required for the Proton libraries to be compliant with the TLS specification 1.3 (RFC 8446). Such compliance is obviously highly desirable now and will become mandatory in the future.
C++ applications will not be affected (this is the existing default).
C, Python, Ruby and Go applications that fully configure their client connections are also unaffected.
Python programs that use MESSAGING_CONNECT_FILE (or the connect.json equivalent) are unaffected.
Proton applications that do not make outbound connections are unaffected.
All other applications may run into stricter verification policies that cause previously successful TLS negotiations to now fail. These applications will need to either:
- explicitly downgrade the verification mechanism of outgoing connections to the old default (PN_SSL_ANONYMOUS_PEER)
- update server certificates and/or client trusted root CA's as required to work in the full PN_SSL_VERIFY_PEER_NAME verification mode.