tunnel: automatically enable TLS insecure skip verify if there are no root CAs documented

README.md

@@ -97,7 +97,7 @@ Configuration options:
 * `server_addr`: server TCP address, i.e. `54.12.12.45:5223`
 * `tls_crt`: path to client TLS certificate, *default:* `client.crt` *in the config file directory*
 * `tls_key`: path to client TLS certificate key, *default:* `client.key` *in the config file directory*
-* `root_ca`: path to trusted root certificate authority pool file, *default* is the host's root CA set
+* `root_ca`: path to trusted root certificate authority pool file, if empty any server certificate is accepted
 *  `tunnels / [name]`
     * `proto`: tunnel protocol, `http` or `tcp`
     * `addr`: forward traffic to this local port number or network address, for `proto=http` this can be full URL i.e. `https://machine/sub/path/?plus=params`, supports URL schemes `http` and `https`

cmd/tunneld/options.go

@@ -54,7 +54,7 @@ func parseArgs() *options {
 	tunnelAddr := flag.String("tunnelAddr", ":5223", "Public address listening for tunnel client")
 	tlsCrt := flag.String("tlsCrt", "server.crt", "Path to a TLS certificate file")
 	tlsKey := flag.String("tlsKey", "server.key", "Path to a TLS key file")
-	rootCA := flag.String("rootCA", "", "Path to the trusted certificate chian used for client certificate authentication, if empty do not authenticate clients")
+	rootCA := flag.String("rootCA", "", "Path to the trusted certificate chian used for client certificate authentication, if empty any client certificate is accepted")
 	clients := flag.String("clients", "", "Comma-separated list of tunnel client ids, if empty accept all clients")
 	logLevel := flag.Int("log-level", 1, "Level of messages to log, 0-3")
 	version := flag.Bool("version", false, "Prints tunneld version")