That ‘trust all’ cert manager approach is exactly what the code currently does. It’s just that your particular cert is not just self-signed, but entirely invalid, which apparently Java still balks at (without the system property). It’s relatively unlikely we’ll change anything around that - you can work around it yourself, but globally setting internal http client parameters seems like a bad idea. It’s possible some future version of Java will enhance the HTTP client to allow a more first-class bypass mechanism, in which case we could add it to the httpClient() function.