--- a/plugins/mod_s2s/mod_s2s.lua	Mon Mar 11 13:00:51 2019 +0100
+++ b/plugins/mod_s2s/mod_s2s.lua	Mon Mar 11 13:07:59 2019 +0100
@@ -738,7 +738,7 @@
 	listener = listener;
 	default_port = 5269;
 	encryption = "starttls";
-	ssl_config = {
+	ssl_config = { -- FIXME This is not used atm, see mod_tls
 		verify = { "peer", "client_once", };
 	};
 	multiplex = {

--- a/plugins/mod_tls.lua	Mon Mar 11 13:00:51 2019 +0100
+++ b/plugins/mod_tls.lua	Mon Mar 11 13:07:59 2019 +0100
@@ -53,13 +53,17 @@
 	local parent_s2s = rawgetopt(parent,  "s2s_ssl") or NULL;
 	local host_s2s   = rawgetopt(modhost, "s2s_ssl") or parent_s2s;
 
+	local request_client_certs = { verify = { "peer", "client_once", }; };
+
 	ssl_ctx_c2s, err_c2s, ssl_cfg_c2s = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections
 	if not ssl_ctx_c2s then module:log("error", "Error creating context for c2s: %s", err_c2s); end
 
-	ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections
+	-- for outgoing server connections
+	ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s, request_client_certs);
 	if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", err_s2sout); end
 
-	ssl_ctx_s2sin, err_s2sin, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections
+	-- for incoming server connections
+	ssl_ctx_s2sin, err_s2sin, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s, request_client_certs);
 	if not ssl_ctx_s2sin then module:log("error", "Error creating contexts for s2sin: %s", err_s2sin); end
 end