SHA1 is a bad idea, even for self-signed snake-oil certificates.
Created attachment 13454 [details] possible patch for master
Created attachment 13481 [details] patch cherry-picked from master for 4.7
Pushed to autobuild-v4-7-test.
Pushed to v4-7-test. Closing out bug report. Thanks!