How to set the advanced SSL options in getmail?

I just setup getmail with SSL. I ran the verification as suggested in [the documentation](http://pyropus.ca/software/getmail/configuration.html#retriever-ssl-extra) : $ openssl s_client -showcerts -connect HOST:PORT /dev/null \ | grep '^[[:space:]]*i:' | tail -n 1 issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 The documentation says "If the server's certificate cannot be validated based upon the supplied trusted root certificates, getmail will abort the connection." So I assume that getmail was able to verify the server's certificate. I also successfully ran a SimplePOP3SSLRetriever with no optional parameters. But the default location /System/Library/OpenSSL/certs/ on macOS has no files and the Keychain has no certificates installed. So I don't know which filepath to give to the optional parameter ca_certs to force verification of the server's SSL certificate. My questions are: - how can I verify that SimplePOP3SSLRetriever runs on an encrypted connection? - where can I find a root certificate to verify the server's certificate, or how can I download a root certificate without risking of a man-in-the-middle attack? - how to set the ssl_fingerprints variable to verify that the server's certificate has not changed?