The tls_verify setting only affects server behavior, not the client.

Originally, there was a flag in the ServerHello message to indicate
that the client should verify the server cert, but this was removed
TLS was moved to a separate port.  Client validation of the server
certificate is now configured in the sudoers file instead.

doc/sudo_logsrvd.conf.man.in

@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "July 9, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "August 3, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -267,11 +267,11 @@ The default value is
 \fI/etc/ssl/sudo/private/logsrvd_key.pem\fR.
 .TP 10n
 tls_verify = bool
-If true, the server certificate will be verified at startup and
+If true,
-clients will authenticate the server by verifying its certificate
+\fBsudo_logsrvd.conf\fR
-and identity.
+will validate its own certificate at startup time or when the
-If false, no verification is performed of the server certificate
+configuration is changed.
-by the server or the client.
+If false, no verification is performed of the server certificate.
 When using self-signed certificates without a certificate authority,
 this setting should be set to false.
 The default value is true.
@@ -802,8 +802,8 @@ Sudo log server configuration file
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 #timeout = 30
 
-# If true, the server certificate will be verified at startup and clients
+# If true, the server will validate its own certificate at startup.
-# will authenticate the server by verifying its certificate and identity.
+# Defaults to true.
 #tls_verify = true
 
 # If true, client certificates will be validated by the server;

doc/sudo_logsrvd.conf.mdoc.in

@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd July 9, 2021
+.Dd August 3, 2021
 .Dt SUDO_LOGSRVD.CONF @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -228,11 +228,11 @@ The path to the server's private key file, in PEM format.
 The default value is
 .Pa /etc/ssl/sudo/private/logsrvd_key.pem .
 .It tls_verify = bool
-If true, the server certificate will be verified at startup and
+If true,
-clients will authenticate the server by verifying its certificate
+.Nm
-and identity.
+will validate its own certificate at startup time or when the
-If false, no verification is performed of the server certificate
+configuration is changed.
-by the server or the client.
+If false, no verification is performed of the server certificate.
 When using self-signed certificates without a certificate authority,
 this setting should be set to false.
 The default value is true.
@@ -730,8 +730,8 @@ Sudo log server configuration file
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 #timeout = 30
 
-# If true, the server certificate will be verified at startup and clients
+# If true, the server will validate its own certificate at startup.
-# will authenticate the server by verifying its certificate and identity.
+# Defaults to true.
 #tls_verify = true
 
 # If true, client certificates will be validated by the server;

examples/sudo_logsrvd.conf

@@ -35,8 +35,8 @@
 # respond.  A value of 0 will disable the timeout.  The default value is 30.
 #timeout = 30
 
-# If true, the server certificate will be verified at startup and clients
+# If true, the server will validate its own certificate at startup.
-# will authenticate the server by verifying its certificate and identity.
+# Defaults to true.
 #tls_verify = true
 
 # If true, client certificates will be validated by the server;