Use OS trusted CA certs if not provided by the user

[LoisSotoLopez]

Proposed Changes

Provides a specific function to fix client ssl options, i.e.: apply all fixes that are applied for TLS listeneres and clients on previous versions but also sets cacerts option to CA certificates obtained by public_key:cacerts_get/0, only when no cacertfile or cacerts are provided.

Addressing #10519

Types of Changes

• Bug fix (non-breaking change which fixes issue #NNNN)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause an observable behavior change in existing systems)
• Documentation improvements (corrections, new content, etc)
• Cosmetic change (whitespace, formatting, etc)
• Build system and/or CI

Checklist

• I have read the CONTRIBUTING.md document
• I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq)
• I have added tests that prove my fix is effective or that my feature works
• All tests pass locally with my changes
• If relevant, I have added necessary documentation to https://github.com/rabbitmq/rabbitmq-website
• If relevant, I have added this change to the first version(s) in release-notes that I expect to introduce it

Further Comments

Should we also apply this fix for TLS server options? Or is it fine if we only use OS trusted CA certs for TLS client options, as done in the provided changes?

[michaelklishin]

Merged after a rebase in #12564.

[michaelklishin]

Erlang 27.2 has some relevant improvements:

# public_key-1.17

The public_key-1.17 application can be applied independently of other
applications on a full OTP 27 installation.

## Improvements and New Features

- public_key:cacerts_load/1 can now be configured via the application
  environment.

  Own Id: OTP-19321
  Related Id(s): PR-8920

- On MacOS, CA certificates are now also loaded from the system keychain.

  Own Id: OTP-19375
  Related Id(s): PR-8844