Thanks for your suggestions, but I feel they go away from my proposal. grarpamp:
--no-verify-hostname
[SSL] Do not verify that the hostname matches the subject of
the certificate presented by the server.
I wouldn't want to do that, because that would allow basically any cert signed by the CA (or CAs) in $tls_trust_file.
Didn't look, but these days, if provided by the library, it might also be useful to lock down to only TLS_1_2 or TLS_1_3.
That's already possible with $tls_priorities.
There could also be a TOFU mode where it accepts the first CA valid (or otherwise based on specified checks) server cert but locks out future cert changes (based on specified parameters), with some alert or field noting such.
This is already possible manually, by just downloading the servers certificate and using that as $tls_trust_file.
-- ilf If you upload your address book to "the cloud", I don't want to be in it.
Attachment:
signature.asc
Description: PGP signature