[fix] retry matching chain from trust-store and skip expired intermediate certs early

[kares]

The PR represent a very concrete (and "minimalistic") update to try building alternative chain trust chains with cert verification.
The code is inspired by OpenSSL 1.1.1's alt verification logic (namely (search & S_DOALTERNATE)) but does not allow arbitrary chain unrolling and retry, thus being somehow less flexible. Instead the retry is hard-coded at the level when the initial chain is built looking up certificates from the trust store.
This, and a few extra checks on expiry dates (ported over from OpenSSL 1.1.1), is expected to be sufficient to resolve issues such as #236.

TODO:

• unit test
• real-world test
• hide (retry) logic beind system property
• if logic stays on by default -> 0.11.0?
  (if retry logic is off problematic chains should also veridy with expired CAs removed from the trust store?)

HINT: The #236 work started as a OpenSSL 1.1.1 port #239 but was put to ice due (even after a week) requiring more porting/reviewing of OpenSSL C code.

[kares]

unfortunately, I was following the reproducer from #236 and that case the PR actually resolves the issue ...

but trying out another real-world scenario we start out with these 'untrusted' certificates (from the server):

• CN=s3.fr-par.scw.cloud issuer: [CN=R3, O=Let's Encrypt, C=US]
• CN=R3, O=Let's Encrypt, C=US issuer: [CN=ISRG Root X1, O=Internet Security Research Group, C=US]
• CN=ISRG Root X1, O=Internet Security Research Group, C=US issuer: [CN=DST Root CA X3, O=Digital Signature Trust Co.]

thus relying on being able to check all paths once we reach the trust-store isn't enough - we need to be able to built an alternate chain earlier ...

[kares]

defunct due shipping #239 (as a resolution for #236 )