You don't have to do anything special, and no, you can't really rely on certificate authentication like that, it doesn't work reliably when it's not host-based and there's no intent that it would work. The messages are signed instead, and the possibility of MITM exposure is simply ignored. -- Scott