And to let people avoid the same mistake I did when interpreting all of this: there's a difference between encryption and cert-validation. Essentially, this is only about enabling encryption - not requiring perfect certificate authority validation. For #prosody users, these are the proper configuration options for maximum network compatibility:

c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = false