MDEV-34214: allow intermediate certs in wsrep

[trixpan]

trafficstars

• [x] The Jira issue number for this PR is: MDEV-34214

Description

• Pass the sst.tcert / ssl_cert (leaf certificate) to openssl verify as parameter for the "-untrusted" flag, aligning the script behavior with MariaDB's CONC-500, Galera's Issue 571

Release Notes

• wsrep_sst_common now validates certificate chains using every certificate present in tcert/ssl_cert

How can this PR be tested?

Testing can be done by ensuring the file used in ssl_cert includes more than one certificate (e.g. Let's Encrypt fullchain.pem)

Basing the PR against the correct MariaDB version

• [ ] This is a new feature and the PR is based against the latest MariaDB development branch.
• [X] This is a bug fix and the PR is based against the earliest maintained branch in which the bug can be reproduced.

PR quality check

• [X] I checked the CODING_STANDARDS.md file and my PR conforms to this where appropriate.
• [X] For any trivial modifications to the PR, I am ok with the reviewer making the changes themselves.

[CLAassistant]

All committers have signed the CLA.

[trixpan]

Note for reviewers: Although I understand 10.4 still supported, given this is not a critical issue and it EOL is less than one month away, I raised the fix against 10.5 instead.

[trixpan]

@dlenski since you enjoy the subject (TLS). Keen on insight. :-)

[trixpan]

@janlindstrom is there anyone who can review this PR by any chance?

[janlindstrom]

@trixpan MariaDB employees, I have assigned this to Julius.

[trixpan]

folks do we have plans to merge this?

[sysprg]

@trixpan thanks for proposed fix, I started merging with the main branch

[grooverdan]

rejected per MDEV need to find more secure solution.