Use CA certificates from ca_root_nss for TLS validation

instead of embedding a very old version of that file, and depend
on ca_root_nss for that.
Add dependency on curl, which has been missing for a long time.

PR: 234421
Submitted by: joe@thrallingpenguin.com
Reported by: corvid@openmailbox.org
Approved by: joe@thrallingpenguin.com (maintainer)