feat: Expose cURL's `--cacert` and `--capath`, along with `--insecure`

[Eta0]

Customizing cURL Certificate Verification

This PR builds off of #59 by @spmkone and closes #58.

Additions

• stream_io.open_stream and stream_io.CURLStreamFile now accept an additional, optional certificate_handling argument to customize the verification of SSL certificates
  • This corresponds to the flags --cacert, --capath, and -k/--insecure in curl
  • Customization is achieved by passing an instance of stream_io.CAInfo to open_stream or the CURLStreamFile constructor
  • Example usages:
  • open_stream("https://localhost/model.tensors", certificate_handling=CAInfo(cacert="./localhost.pem")
  • open_stream("https://127.0.0.1/model.tensors", certificate_handling=CAInfo(allow_untrusted=True)
  • Pass certificate_handling=None (the default) to use default certificate verification as compiled into cURL

Changes from #59

• This adds more secure alternatives to --insecure when using self-signed certificates, to encourage better security practices
• allow_insecure has been removed as a direct parameter to open_stream and friends, and is instead a CAInfo option
• Test cases cover using customized CAInfo configurations with self-signed certificates in moto
• Fixed a bug where only S3 and not raw HTTPS downloads were using open_stream's certificate verification configuration

Bonus

Error messages in the CURLStreamFile constructor have been improved in the case where cURL terminates at startup with no other output (e.g. when SSL certificate verification fails) by querying the subprocess exit code and attaching it as supplementary information, if it is nonzero.