We weren't loading the default certificate store, so there were no
 trusted certificates to validate hosts with, and all checks would
 fail (unless explicitly disabled with
 OP_SSL_SKIP_CERTIFICATE_CHECK(0)).
This adds that call, and also adds hostname verification (which
 OpenSSL does not do for us, because they are morons).
I've done my best to get the latter right by reading the RFCs, but
 this stuff is complex, it's easy to make mistakes, and I only have
 a limited ability to test it, so caveat emptor.