[Mawaai]

Well, if you can intercept the request to the server to can also change that parameter of the TLS certificate hash.

[neftaly]

Is that actually true, though (especially w.r.t. Forward Secrecy)? Don't both parties generate separate halves of a symmetric key independently, preventing any one party from forcing the use of a particular key on a new session?