In Guix, neither w3m nor emacs-w3m warn me when I visit an https URL that uses a server certificate that is both self-signed and expired. To make matters worse, if I ask for page information (with the '=' key), it tells me that the certificate is valid.
On Debian, both w3m and emacs-w3m inform me when an SSL certificate is
invalid in some way, e.g. if it's expired or not signed by a certificate
authority in my trust store.
Mark
