soup_message_get_flags returns a bunch of flags besides SOUP_MESSAGE_CERTIFICATE_TRUSTED, so the XOR check was incorrect.
While I was tracking this bug, I switched from libsoup's deprecated [0] ssl-ca-file to its non-deprecated tls-database property. I don't know if I did that properly, having never touched glib nor being able to find whether g_object_set transfers pointers. So here's two patches, one almost certainly good and somewhat important, and the other of unknown validity and unimportant. [0] https://developer.gnome.org/libsoup/stable/SoupSession.html#SoupSession--ssl-ca-file
0001-Properly-verify-ssl-connections.patch
Description: Binary data
0002-Use-tls-database-instead-of-ssl-ca-file.patch
Description: Binary data
