openssl: Support async cert verify callback

- Update the OpenSSL connect state machine to handle
  SSL_ERROR_WANT_RETRY_VERIFY.

This allows libcurl users that are using custom certificate validation
to suspend processing while waiting for external I/O during certificate
validation.

Closes https://github.com/curl/curl/pull/11499

docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3

@@ -61,6 +61,9 @@ necessary. For example, you can use this function to call library-specific
 callbacks to add additional validation code for certificates, and even to
 change the actual URI of an HTTPS request.
 
+For OpenSSL, asynchronous certificate verification via
+\fISSL_set_retry_verify\fP is supported. (Added in 8.3.0)
+
 WARNING: The \fICURLOPT_SSL_CTX_FUNCTION(3)\fP callback allows the application
 to reach in and modify SSL details in the connection without libcurl itself
 knowing anything about it, which then subsequently can lead to libcurl

lib/vtls/openssl.c

@@ -3864,7 +3864,13 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
       return CURLE_OK;
     }
 #endif
-    else if(backend->io_result == CURLE_AGAIN) {
+#ifdef SSL_ERROR_WANT_RETRY_VERIFY
+    if(SSL_ERROR_WANT_RETRY_VERIFY == detail) {
+      connssl->connecting_state = ssl_connect_2;
+      return CURLE_OK;
+    }
+#endif
+    if(backend->io_result == CURLE_AGAIN) {
       return CURLE_OK;
     }
     else {