TLS

- When an invalid value for 'taskd.trust' is noticed, the 'sync' command will
  error out, and the 'diag' command will refer the user to the man page.
  This is because the allowed values were 'yes'/'no', and now are
  'strict'/'ignore hostname'/'allow all'.

src/commands/CmdDiagnostics.cpp

@@ -272,12 +272,13 @@ int CmdDiagnostics::execute (std::string& output)
              ? " (readable)" : " (not readable)")
         << "\n";
 
-  if (context.config.get ("taskd.trust") == "allow all")
-    out << "      Trust: allow all\n";
-  else if (context.config.get ("taskd.trust") == "ignore hostname")
-    out << "      Trust: ignore hostanme\n";
+  std::string trust_value = context.config.get ("taskd.trust");
+  if (trust_value == "strict" ||
+      trust_value == "ignore hostname" ||
+      trust_value == "allow all")
+    out << "      Trust: " << trust_value << "\n";
   else
-    out << "      Trust: strict\n";
+    out << "      Trust: Bad value - see 'man taskrc'\n";
 
   out << "Certificate: "
       << context.config.get ("taskd.certificate")

src/commands/CmdSync.cpp

@@ -86,10 +86,17 @@ int CmdSync::execute (std::string& output)
   if (credentials.size () != 3)
     throw std::string (STRING_CMD_SYNC_BAD_CRED);
 
+  // This was a Boolean value in 2.3.0, and is a tri-state since 2.4.0.
+  std::string trust_value = context.config.get ("taskd.trust");
+  if (trust_value != "strict" &&
+      trust_value != "ignore hostname" &&
+      trust_value != "allow all")
+    throw std::string (STRING_CMD_SYNC_TRUST_OBS);
+
   enum TLSClient::trust_level trust = TLSClient::strict;
-  if (context.config.get ("taskd.trust") == "allow all")
+  if (trust_value  == "allow all")
     trust = TLSClient::allow_all;
-  else if (context.config.get ("taskd.trust") == "ignore hostname")
+  else if (trust_value == "ignore hostname")
     trust = TLSClient::ignore_hostname;
 
   // CA must exist, if provided.