~/.ssh/known_hosts
where you could trust a root for a given hostname by dropping the digest in a file or config argument. But is this more work than getting a copy of the ca and specifying that directly?
verify=False
with requests, aiohttp or websockets, the times I have used it it's always been to development servers having SSL certificates, but not appearing at the correct hostname/SNI that matches the certificate. e.g. one server running experimental release out of its usual load balancer or similar. I'm not sure this would be typical though. So storing the digest might not help? I really am asking to turn off verification in these cases.
verify=False
has usage beyond self-signed CA
test_all_backends
, but failed: I get a deadlock I wasn't able to debug yet