Comment 1 for bug 1374731

You're right, the client code doesn't seem to verify certificates, making TLS mostly pointless. However, traffic between prayer/prayer-session, prayer-accountd, and the backend LDAP server typically is over the loopback interface or at least a trusted LAN, not over the public Internet, making the impact low. I'll see what I can do though.