如果认证 CA 未知，我可以让 curl 中止 TLS 连接吗？

是的，事实上，除非您指定，否则这已经是默认行为--insecure。

$ cat /etc/ssl/certs/ISRG_Root_X1.pem > ./cacert.pem
$ curl -v -u User:Pass --ssl --cacert ./cacert.pem smtp://smtp.gmail.com:587
Warning: --ssl is an insecure option, consider --ssl-reqd instead
* Host smtp.gmail.com:587 was resolved.
* IPv6: 2a00:1450:4013:c02::6d
* IPv4: 142.251.9.108
*   Trying [2a00:1450:4013:c02::6d]:587...
* Connected to smtp.gmail.com (2a00:1450:4013:c02::6d) port 587
< 220 smtp.gmail.com ESMTP 4fb4d7f45d1cf-5d80679f0e4sm24420236a12.42 - gsmtp
> EHLO ember
< 250-smtp.gmail.com at your service, [...]
> STARTTLS
< 220 2.0.0 Ready to start TLS
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ISRG_Root_X1.pem
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.