Comment 7 for bug 396818

What appears to be happening is that when CApath is set to anything, it will actually fall back to '${OPENSSLDIR}/certs' and succeed, if the required cert hashes are not found at the CApath specified on the CLI. But by default, only the CAfile codepath is activated, and the default CAfile is set to '${OPENSSLDIR}/cert.pem', which is completely useless.

If the default CAfile was set to '${OPENSSLDIR}/certs/ca-certificates.crt' at build time, things would work as expected for pretty much everyone.