Log Message:
security/gnutls: Use system TLS trust anchors.

Until 2018, gnutls would search at _build-time_ for one of various
files /etc/ssl/ca-bundle.pem, /etc/ssl/certs/ca-certificates.crt,
/etc/pki/tls/cert.pem, &c., for trust anchors, and bake that path
into the build product -- or, if none of those existed at build-time,
it would bake _nothing_ into the build product and require programs
doing TLS to specify trust anchors explicitly; the gnutls function
gnutls_x509_trust_list_add_system_trust would fail with
GNUTLS_E_UNIMPLEMENTED_FEATURE.

In 2018, gnutls was changed to depend on mozilla-rootcerts and use
${PREFIX}/share/mozilla-rootcerts/cacert.pem.  This was expedient for
NetBSD which (a) had no trust anchors shipped out of the box until
10.0 but (b) would usually be configured with mozilla-rootcerts
anyway, but wrong, because:

1. The system may manage TLS trust anchors differently, e.g. on
   Fedora they're somewhere in /etc/pki/tls, or even if you install
   trust anchors from pkgsrc you might use security/ca-certificates
   instead of security/mozilla-rootcerts.

2. Even if the system uses Mozilla's trust anchors, there is no way
   for an operator to safely selectively override individual CA
   certificates, like nixing Digi-Notar after their compromise --
   ${PREFIX}/share/mozilla-rootcerts/cacert.pem is a static file that
   is not allowed to change, not an editable configuration file.

With this change, on platforms where mk/ssl.mk defines SSLCERTBUNDLE,
gnutls will look there; on platforms without it, gnutls will revert
to its original default of checking various paths at build-time.  For
systems where the binary packages are built without trust anchors at
build-time, but where there is a fixed path known at build-time where
the trust anchors will be at run-time, mk/ssl.mk should be adapted to
set SSLCERTBUNDLE.

PR pkg/58143: security/gnutls uses wrong trust anchors