diff --git a/docs-xml/smbdotconf/security/tlsverifypeer.xml b/docs-xml/smbdotconf/security/tlsverifypeer.xml
index ce6897d3d93..4f47dd4db0d 100644
--- a/docs-xml/smbdotconf/security/tlsverifypeer.xml
+++ b/docs-xml/smbdotconf/security/tlsverifypeer.xml
@@ -41,11 +41,7 @@
needs to be configured.
Future versions of Samba may implement additional checks.
-
- Note that the default is likely to change from
- no_check to as_strict_as_possible
- with Samba 4.5.
-no_check
+as_strict_as_possible
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 4392172fc08..72a9892ce13 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2574,7 +2574,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "min wins ttl", "21600");
lpcfg_do_global_parameter(lp_ctx, "tls enabled", "True");
- lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "no_check");
+ lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "as_strict_as_possible");
lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 1a080d405eb..401eae46636 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -868,7 +868,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
Globals.tls_enabled = true;
- Globals.tls_verify_peer = TLS_VERIFY_PEER_NO_CHECK;
+ Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");