Add a ca_cert_path option

data/default_config.cfg

@@ -14,11 +14,18 @@ port = 5222
 # Do not touch this if you don’t know what you are doing
 certificate =
 
-# Skip the SSL verification
+# Skip the SSL certificate fingerprint verification
 # Should be true in most cases, as you want to check that the server keeps
 # the same certificate.
 ignore_certificate = false
 
+# Path to the certificate authenticating the Authority
+# A server may have several certificates, but if it uses a CA, it will often
+# keep the same for obvious reasons, so this is a good option if your server
+# does this, rather than skipping all verifications.
+# This is not affected by ignore_certificate
+ca_cert_path =
+
 # Auto-reconnects you when you get disconnected from the server
 # defaults to false because it should not be necessary
 auto_reconnect = false

doc/en/configure.txt

@@ -59,6 +59,14 @@ section of this documentation.
   anonymous mode and changing servers often. Dangerous in other cases, from a
   security perspective.
 
+*ca_cert_path*:: [empty]
+
+  Path to the certificate of the Certification Authority.
+  As some services may keep different certificates, it is an alternative to
+  the Trust On First Use model provided by _certificate_. This option is not
+  affected by _ignore_certificate_ and boths checks may be active at the same
+  time.
+
 *resource*:: [empty]
 
   the resource you will use

src/connection.py

@@ -44,6 +44,7 @@ class Connection(sleekxmpp.ClientXMPP):
         self.core = None
         self.auto_reconnect = True if config.get('auto_reconnect', 'false').lower() in ('true', '1') else False
         self.auto_authorize = None
+        self.ca_certs = config.get('ca_cert_path', '') or None
         self.register_plugin('xep_0030')
         self.register_plugin('xep_0004')
         self.register_plugin('xep_0045')