GitLab

As far as I see in the current code, the plugin manager does use TLS below its FTP connection, but does not tell the ssl module to check the certificates given by the server, let alone shipping & giving the lib a set of trustworthy certificates. This reduces the value of using TLS to having a encrypted connection, but not any authentication of the plugin server.