Make -require 1 the default
    Turning this on by default might mean some work either shipping a default ca file or knowing where one is on most platforms. For instance, on my Mac with OpenSSL installed there is a default ca file in /etc/ssl/cert.pem (and a copy in /usr/local/etc/openssl/cert.pem).

