In the code introduced in commit 199a93b#diff-b32363ff6d1b102eb15fb8610cc37c67aaff9513a09d32efb7680008261c2c21R66-R93, the default HTTPS stack is replaced by one which does not check the server's certificate validity. I presume this was done for local testing, where the server didn't have a valid certificate. It looks like this no longer happens as the reference to api.test.local is removed now; I recommend either just using plain HTTP, or get an actual certificate when doing local testing.

This is a security issue and could enable a MitM impersonation attack. This code must be removed and backported to every version affected (I believe this is from 1.16.x to the latest version).

I am reporting this as a regular issue after confirming with a security team that such a MitM attack is not easily exploitable and is not a big concern.