Prior to this patch, unless SSL_CA_CERT_FILE is set in the environment, libfetch will set the CA file to "/usr/local/etc/cert.pem" if it exists, and to "/etc/ssl/cert.pem" otherwise. This has the consequence of masking SSL_CA_CERT_PATH, because OpenSSL will ignore the CA path if a CA file is set but fails to load (see X509_STORE_load_locations()).

While here, fall back to OpenSSL defaults if neither SSL_CA_CERT_FILE nor SSL_CA_CERT_PATH are set in the environment, and if neither of the libfetch default CA files exists.

Verify by test, with the help of truss, DTrace, or equivalent, that an invocation of fetch(1) accesses CA cert paths and files as intended along each of the following degrees of freedom.

1. "/usr/local/etc/ssl/cert.pem" and "/etc/ssl/cert.pem" exist or not
2. SSL_CA_CERT_FILE is set or not (affects libfetch)
3. SSL_CA_CERT_PATHis set or not (affects libfetch)
4. SSL_CERT_FILE is set or not (affects libcrypto)
5. SSL_CERT_DIR is set or not (affects libcrypto)