Always validate certificate with CA
I think with the apparition of letsencrypt and how easy and cheap it is now to have a valid certificate we should enforce it validation using the CA instead of the fingerprint.
And other point is that letsencrypt renew the certificate every 3 months which makes user fails in the #1683 (closed).
So I propose to use the ssl.create_default_context [1] method which ensure good default values. The drawback is that it is only for >=2.7.9 (>3 years old).
[1] https://docs.python.org/2.7/library/ssl.html#ssl.create_default_context