As documented, the self-signature checks on self-signed certs are by default skipped. If your trust store can be modified by untrusted actors, self-signature checks won't help you.
If you want to check the self-signature, pass the "-check_ss_sig"
option.
--
Viktor.
