curl and certificate verification in jessie

[Ian Jackson]

It looks like nothing got done about this :-(.

Is there any (GPL-compatible) TLS HTTP client library or tool in
jessie which allows me to specify explicitly the expected End Entity
certificate ?

At the moment I'm using curl and wget.  I was using --cacert=blah
--capath=/dev/null and it did DTRT some time ago but now doesn't.

In the meantime I'm going to have to make the whole thing rely on
ca-certificates.  The result is that our internal infrastructure (dgit
in this case) is going to be (entirely needlessly) vulnerable to
security failures in the X.509 CA cabal.

Ian.