Insecure HTTPS if the HttpCore implementation is used (currently it isn't)

I suspect the http core HTTPS handling might not by default do proper certificate, revocation and hostname verification.
Check this!
