diff --git a/src/ostree/ostree-fetcher.c b/src/ostree/ostree-fetcher.c
index f55b3183..22624674 100644
--- a/src/ostree/ostree-fetcher.c
+++ b/src/ostree/ostree-fetcher.c
@@ -153,11 +153,14 @@ ostree_fetcher_init (OstreeFetcher *self)
 }
 
 OstreeFetcher *
-ostree_fetcher_new (GFile *tmpdir)
+ostree_fetcher_new (GFile                    *tmpdir,
+                    OstreeFetcherConfigFlags  flags)
 {
   OstreeFetcher *self = (OstreeFetcher*)g_object_new (OSTREE_TYPE_FETCHER, NULL);
 
   self->tmpdir = g_object_ref (tmpdir);
+  if ((flags & OSTREE_FETCHER_FLAGS_TLS_PERMISSIVE) > 0)
+    g_object_set ((GObject*)self->session, "ssl-strict", FALSE, NULL);
  
   return self;
 }
diff --git a/src/ostree/ostree-fetcher.h b/src/ostree/ostree-fetcher.h
index 4f6897e3..4692f6a0 100644
--- a/src/ostree/ostree-fetcher.h
+++ b/src/ostree/ostree-fetcher.h
@@ -43,9 +43,15 @@ struct OstreeFetcherClass
   GObjectClass parent_class;
 };
 
+typedef enum {
+  OSTREE_FETCHER_FLAGS_NONE = 0,
+  OSTREE_FETCHER_FLAGS_TLS_PERMISSIVE = (1 << 0)
+} OstreeFetcherConfigFlags;
+
 GType   ostree_fetcher_get_type (void) G_GNUC_CONST;
 
-OstreeFetcher *ostree_fetcher_new (GFile *tmpdir);
+OstreeFetcher *ostree_fetcher_new (GFile                     *tmpdir,
+                                   OstreeFetcherConfigFlags   flags);
 
 char * ostree_fetcher_query_state_text (OstreeFetcher              *self);
 
diff --git a/src/ostree/ostree-pull.c b/src/ostree/ostree-pull.c
index 9314406f..5692cc89 100644
--- a/src/ostree/ostree-pull.c
+++ b/src/ostree/ostree-pull.c
@@ -1196,6 +1196,8 @@ ostree_builtin_pull (int argc, char **argv, GFile *repo_path, GError **error)
   gpointer key, value;
   int i;
   GCancellable *cancellable = NULL;
+  gboolean tls_permissive = FALSE;
+  OstreeFetcherConfigFlags fetcher_flags = 0;
   gs_free char *remote_key = NULL;
   gs_unref_object OstreeRepo *repo = NULL;
   gs_free char *remote_config_content = NULL;
@@ -1250,7 +1252,6 @@ ostree_builtin_pull (int argc, char **argv, GFile *repo_path, GError **error)
   start_time = g_get_monotonic_time ();
 
   pull_data->remote_name = g_strdup (argv[1]);
-  pull_data->fetcher = ostree_fetcher_new (ostree_repo_get_tmpdir (pull_data->repo));
   config = ostree_repo_get_config (repo);
 
   remote_key = g_strdup_printf ("remote \"%s\"", pull_data->remote_name);
@@ -1258,6 +1259,15 @@ ostree_builtin_pull (int argc, char **argv, GFile *repo_path, GError **error)
     goto out;
   pull_data->base_uri = soup_uri_new (baseurl);
 
+  if (!ot_keyfile_get_boolean_with_default (config, remote_key, "tls-permissive",
+                                            FALSE, &tls_permissive, error))
+    goto out;
+  if (tls_permissive)
+    fetcher_flags |= OSTREE_FETCHER_FLAGS_TLS_PERMISSIVE;
+
+  pull_data->fetcher = ostree_fetcher_new (ostree_repo_get_tmpdir (pull_data->repo),
+                                           fetcher_flags);
+
   if (!pull_data->base_uri)
     {
       g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,