crypto: use X509_V_FLAG_TRUSTED_FIRST for tls
Tell OpenSSL to check the CA chain against the certificates in the trusted store first.
It's possible to connect with https://bbuseruploads.s3.amazonaws.com/ again now, even though it uses a deprecated 1024 bits RSA certificate in its CA chain.
Before merging this, I would like some discussion on whether X509_V_FLAG_TRUSTED_FIRST is really the best possible approach. I raised some questions about it here.