Since a while ago, server certificate validation started to fail in the nightly build. I use private CA, and CA certificate is installed system-wide (placed in /etc/ssl/certs and c_rehash'ed). openssl s_client -verify 1 -host ... -port ... succeeds with "Verification: OK". However gajim insists that certificate is signed by an unknown CA.

• While opening XMPP connection, it offers to accept "untrusted" server certificate and then works
• httpupload over aesgcm/https does not work at all:

02/04/20 10:45:33 (I) gajim.p.omemo.filedecryption|       Start downloading: https://average.org:9443/0aaa8f2ecdc342cdea76820e6eba57e0884fd630/5Q7yPp7QsTc0blwTog5RuJwkABmYOOPX0VYmxrLq/FrdvSlyBQX-EjGTtfnUErQ.jpg
02/04/20 10:45:33 (W) gajim.p.omemo.filedecryption|       Download failed: https://average.org:9443/0aaa8f2ecdc342cdea76820e6eba57e0884fd630/5Q7yPp7QsTc0blwTog5RuJwkABmYOOPX0VYmxrLq/FrdvSlyBQX-EjGTtfnUErQ.jpg
02/04/20 10:45:33 (W) gajim.p.omemo.filedecryption|       SSL handshake failed

I believe that gajim should either honour system-wide set of trusted CAs, or, if it insists on using using a private set of CAs, allow adding new CAs to that set. The first option is preferable, in my opinion.