Simplify TLS peer verification for replication

[nickva]

By default replicator TLS connections do not verify the TLS peer certificates

couchdb/src/couch_replicator/src/couch_replicator_parse.erl

Lines 474 to 478 in f8d489f

	ssl_verify_options(true) ->
	CAFile = cfg("ssl_trusted_certificates_file"),
	[{verify, verify_peer}, {cacertfile, CAFile}];
	ssl_verify_options(false) ->
	[{verify, verify_none}].

It's probably for a good reason, Erlang < 25 doesn't even have a good way to load OS provided CAs. Only starting in Erlang 25 we have public_key:cacerts_get(). The certificates are loaded and cached in a permanent literal term and then it can be easily used as:

{ok, _} = httpc:request(get, {"https://erlang.com", []}, [{ssl, [{verify, verify_peer}, {cacerts, public_key:cacerts_get()}]}], []), ok.

The enhancement would be to make TLS peer verification a bit more ergonomic making it easy to use OS provided CAs. We could backport Erlang 25 cert loading code unto a compat couch_util function until we can have Erlang 25+ only required OTP version.

Another option is to use certify, but that's another dependency to bring in and since Erlang already plans on providing the feature might as well use the OTP solution.

As for how to configure it, perhaps we could have have a special ssl_trusted_certificates_file value indicating we want to load the OS provided CAs, or a separate config option like ssl_use_os_certificates = true | false. Maybe even allow appending user's CA trusted certificated to the OS ones?