New versions of SSH allow upon connecting to a new host a third option in addition to yes and no: fingerprint. The fingerprint option allows one to simply paste the fingerprint of the remote host instead of having to compare it by hand. Here is a simple patch for fossil to allow the same when a TLS certificate cannot be verified automatically:

Index: src/http_ssl.c
==================================================================
--- src/http_ssl.c
+++ src/http_ssl.c
@@ -379,24 +379,25 @@
       X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 0, XN_FLAG_ONELINE);
       BIO_printf(mem, "\n  sha256:  %s", zHash);
       desclen = BIO_get_mem_data(mem, &desc);
   
       prompt = mprintf("Unable to verify SSL cert from %s\n%.*s\n"
-          "accept this cert and continue (y/N)? ",
+          "accept this cert and continue (y/N/fingerprint)? ",
           pUrlData->name, desclen, desc);
       BIO_free(mem);
   
       prompt_user(prompt, &ans);
       free(prompt);
       cReply = blob_str(&ans)[0];
-      blob_reset(&ans);
-      if( cReply!='y' && cReply!='Y' ){
+      if( cReply!='y' && cReply!='Y' && fossil_stricmp(blob_str(&ans),zHash)!=0 ){
         X509_free(cert);
         ssl_set_errmsg("SSL cert declined");
         ssl_close();
+        blob_reset(&ans);
         return 1;
       }
+      blob_reset(&ans);
       ssl_one_time_exception(pUrlData, zHash);
       prompt_user("remember this exception (y/N)? ", &ans);
       cReply = blob_str(&ans)[0];
       if( cReply=='y' || cReply=='Y') {
         db_open_config(0,0);