I also agree that the proposed patch is not the right way to go as it is essentially the same as verify-full, and I think that the correct fix would be to change the default.
But these are two changes:
1. Actually verify against a CA
2. Actually check the CN/altnames
Anything short of "verify-full" is in my view "not checking". Even with a private CA this allows for a lot of lateral movement in an org, as if you have one cert you have them all, for impersonation purposes.
Changing such a default is a big change. Maybe long term it's worth the short term pain, though. Long term it'd be the config of least surprise, in my opinion.
But note that one has to think about all the settings, such that the default is not more checking than "require", which might also be surprising.
A magic setting of the file to be "system" sounds good for my use cases, at least.
