Fetchmail < 6.4.2 used to only consider --sslproto=TLS1 as "mandatory
STARTTLS" unless sslcertck or sslfingerprint were given, now all
protocol versions will require STARTTLS.

This did not matter in the default install because sslcertck defaults
to on, but could permit fetchmail to continue with unencrypted
connections if --nosslcertck was in use.