You have to specify the cert of the server *or* that of a trusted root; that is the way it determines authenticity of the server. If you have a set of root certs on your system you may be able to point the program there instead of using the single approach. Then it behaves more like a web browser like you expect.
Thanks for the help. This makes sense. I'll have to think the thing over with the help of a cryptography book, but for now I'll take your word. This may be a naive question, but, if I just don't use SSL altogether, will my AWS keys be sent also in cleartext? I don't care if my documents are sent in cleartext, but obviously I don't want to give access to my account to malicious third parties.
This stuff is just non-trivial to use because it's not a complete interface. Maybe you ought to try jungle disk?
Just the fact that it is not a complete interface is what makes it appealing. I was just looking for some equivalent of rsync to access S3. I suppose another consideration would be that if I die tomorrow, my wife won't know what to do with my backup system if she needs it, but most probably I'll outlive the backup system.