[tptacek]

Because during most of the development cycle when these libraries are being used, the certificates aren't validating (they're dev/test/UAT systems) --- and so during actual development, certificate verification seems like just another annoying obstacle to clear as quickly as possible.

[obtu]

It's easy enough to generate a snakeoil cert and use its public part as your cert bundle. On Debian/Ubuntu, just install the ssl-cert package, and point to /etc/ssl/certs/ssl-cert-snakeoil.pem as your certificate bundle; the private key is at /etc/ssl/private/ssl-cert-snakeoil.key .

Or just serve your app/API/etc from different urls, plain HTTP for development and HTTPS for preprod and production.