[josephcsible]

IMO, there's a bit of a design flaw with curl here. There should be an easy flag to say "trust the particular certificate with this hash, no matter what's wrong with it", but there isn't, so people instead use the one that says "trust whatever certificate you get, no matter what's wrong with it".

[user5994461]

Trusting a specific hash would blow up when the service rotate its self-signed certificate, defeating the point of ignoring certificate error.

[josephcsible]

If you're rotating a self-signed certificate, then how do you suppose that clients securely trust it? Or if you just mean replacing it when it expires, then this could instead be tied to the underlying public key alone, which can be reused.

[pornel]

If your clients support "rotating" self-signed certs just like that, it's a huge MITM vulnerability and makes HTTPS as secure as a TSA checkpoint.