Comment 5 for bug 673925

Generally the TLS verification should be automatic, as detailed in upstream's reply (i.e. performing proper CN validation via the known CA certs, check for NULL bytes, etc). In the case of a mismatch, then, yes, it should go to the UI.

I still don't think anything that claims to be TLS enabled should go into main if it does not securely handle TLS. We can't control where people connect to, so we can't claim TLS should only be used for "trusted networks".