gnutls tofu support? or even --insecure?

[Nix]

So GnuTLS 3.2.21 has randomly (as in, I haven't updated it or touched
anything) started rejecting all connections to my work mailserver with
an apparently totally spurious certificate validation error:

- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

(when it's a perfectly normal Verisign cert in my certificate store, as
far as I can tell).

Life is *far* too short to figure out why this is (the whole thing is
happening over a VPN anyway, I trust this connection! I just can't tell
GnuTLS that!), so the thing that will save me is apparently --tofu,
though I'd be happy enough with --insecure. Unfortunately I can't get
Gnus to use either of these -- when (gnutls-available-p),
starttls-extra-arguments is ignored, as is tls-program, leaving me
forced to hack at gnutls.c if I want to read my work email any more. (I
find this somewhat unsatisfactory!)

Toke wrote a patch back in October of last year which implemented TOFU,
but now it doesn't remotely apply:
<https://lists.gnu.org/archive/html/emacs-devel/2014-10/msg00250.html>.

Does anyone know what happened to it? It doesn't seem to have been
applied, though it was applauded by several and adds a feature not
available in any other way (and a way of working *far* preferable to
trusting certificate authorities with anything ever).

I may have to reimplement it :)

-- 
NULL && (void)