fix: add tls-ca-cert-file flag to allow tls certificate validation

[kostasrim]

1. add tls-ca-cert-file flag to allow loading of the CA cert file
2. allows redis-cli to connect over tls without --insecure flag #1418 (addresses item 3 in the list)

[royjacobson]

Ahhhhhh Ok now I understand what this is supposed to do and I don't like it :laughing:

Usually the trusted CA certificates are just supplied by the operating system. This blog suggests doing that by SSL_CTX_set_default_verify_paths(ctx).

[kostasrim]

@royjacobson

So really, what you should do - like I said - is first of all, try letting OpenSSL handle it. If you're using OpenSSL directly, the function you want is SSL_CTX_set_default_verify_paths(). If a default trust store was specified at the time the OpenSSL build your app winds up using was done, it'll get used

That really doesn't sound good and it can lead to surprising behavior. When I start my system, I want to be in control of which CA I trust and some random folder which can provide an extra gateway that is beyond my control sound clumsy and error prone at best. Besides, I can pass the default folder when I start my system, and that way I am explicit to what CA I trust.

Moreover, redis does the same: https://github.com/redis/redis/blob/unstable/src/tls.c#L257 and from a UX experience I would like to stick as close to that as possible.

p.s. Maybe defaults are important especially for the general case, and from my understanding of the article openssl tries to be sensible with its default. However, for our case, I think it harms more than it offers. (And I am not an expert in this, just thinking out loud here). Alsoooo, thank you for the article ;)