Default network-stream-use-client-certificates to nil

* lisp/net/network-stream.el (network-stream-use-client-certificates):
Default to nil.
(open-network-stream): Adapt description to new default of
network-stream-use-client-certificates.

* etc/NEWS: network-stream-use-client-certificates defaults to nil
now.

* doc/lispref/processes.texi (Network): Flip
network-stream-use-client-certificates description.

* doc/misc/auth.texi (Help for users): Mention
network-stream-use-client-certificates.

doc/lispref/processes.texi

@@ -2521,11 +2521,11 @@ expect the network traffic to be encrypted.
 Either a list of the form @code{(@var{key-file} @var{cert-file})},
 naming the certificate key file and certificate file itself, or
 @code{t}, meaning to query @code{auth-source} for this information
-(@pxref{Help for users,,auth-source, auth, Emacs auth-source Library}).
-Only used for @acronym{TLS} or @acronym{STARTTLS}.  If
-@code{:client-certificate} is not specified, behave as if it were t,
-customize @code{network-stream-use-client-certificates} to change
-this.
+(@pxref{Help for users,,auth-source, auth, Emacs auth-source
+Library}).  Only used for @acronym{TLS} or @acronym{STARTTLS}.  To
+enable automatic queries of @code{auth-source} when
+@code{:client-certificate} is not specified customize
+@code{network-stream-use-client-certificates} to t.
 
 @item :return-list @var{cons-or-nil}
 The return value of this function.  If omitted or @code{nil}, return a

doc/misc/auth.texi

@@ -92,6 +92,7 @@ backends and you can write your own if you want.
 @chapter Help for users
 
 ``Netrc'' files are a de facto standard.  They look like this:
+
 @example
 machine @var{mymachine} login @var{myloginname} password @var{mypassword} port @var{myport}
 @end example
@@ -108,12 +109,16 @@ The @code{user} is the user name.  It's known as @var{:user} in
 
 You can also use this file to specify client certificates to use when
 setting up TLS connections.  The format is:
+
 @example
 machine @var{mymachine} port @var{myport} key @var{key} cert @var{cert}
 @end example
 
 @var{key} and @var{cert} are filenames containing the key and
-certificate to use respectively.
+certificate to use respectively.  In order to make network connections
+use them automatically, either pass @code{:client-certificate t} to
+@code{open-network-stream}, or customize
+@code{network-stream-use-client-certificates} to @code{t}.
 
 You can use spaces inside a password or other token by surrounding the
 token with either single or double quotes.

etc/NEWS

@@ -341,7 +341,8 @@ certificates via 'auth-source'.
 ** New user option 'network-stream-use-client-certificates'.
 When non-nil, 'open-network-stream' performs lookups of client
 certificates using 'auth-source' as if ':client-certificate t' were
-specified.  Defaults to t.
+specified iff there is no explicit ':client-certificate' parameter.
+Defaults to nil.
 
 +++
 ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'.

lisp/net/network-stream.el

@@ -58,7 +58,7 @@
 (defvar starttls-gnutls-program)
 (defvar starttls-program)
 
-(defcustom network-stream-use-client-certificates t
+(defcustom network-stream-use-client-certificates nil
   "Whether to use client certificates for network connections.
 
 When non-nil, `open-network-stream' will automatically look for
@@ -144,12 +144,12 @@ values:
 
 :client-certificate should either be a list where the first
   element is the certificate key file name, and the second
-  element is the certificate file name itself, or t, which
-  means that `auth-source' will be queried for the key and the
+  element is the certificate file name itself, or t, which means
+  that `auth-source' will be queried for the key and the
   certificate.  This parameter will only be used when doing TLS
-  or STARTTLS connections.  If :client-certificate is not
-  specified, behave as if it were t, customize
-  `network-stream-use-client-certificates' to change this.
+  or STARTTLS connections.  To enable automatic queries of
+  `auth-source' when `:client-certificate' is not specified
+  customize `network-stream-use-client-certificates' to t.
 
 :use-starttls-if-possible is a boolean that says to do opportunistic
 STARTTLS upgrades even if Emacs doesn't have built-in TLS functionality.