Investigate error returned for an unknown issuer

[cpu]

In a downstream application (https://github.com/curl/curl/issues/13248) that wasn't configured with CA certificates connecting to https://example.com provokes an odd BadSignature error when I would expect something indicating an unknown issuer.

rustls_connection_process_new_packets: invalid peer certificate: BadSignature

Filing this as a reminder to look into what's going on here.

[cpu]

I looked into this and there was a simple explanation (as is usually the case :laughing:). When the pkg-config build configuration was broken in such a way that it failed to populate the default CA path the rustls.c cr_init_backend() code in curl would find verifypeer was true, but ca_info_blob and ssl_cafile were falsey. This state would skip over the construction and configuration of the builder with a root cert store and verifier.

This means when the connection is later built with rustls_client_config_builder_build() it uses the default verifier from rustls-ffi, NoneVerifier. The NoneVerifier's verify_server_cert fn is hardcoded to return:

        Err(rustls::Error::InvalidCertificate(
            CertificateError::BadSignature,
        ))

I think in this case it I think it would be slightly clearer if it returned CertificateError::UnknownIssuer so I opened a PR to make that change: https://github.com/rustls/rustls-ffi/pull/421