mbedtls validation was broken by an earlier patch on main... fix it and add a CI test also using the wrong CA cert so this can be caught straight away from now on.
