Explain why #2356 "works".

[jsirois]

The explanation was hard won and a bit embarrasing in outcome. The
original behavior was correct afaict and PBS use on a RedHat system with
custom RedHat OpenSSL config keys should fail, obviously with a much
better error message, and prompt OpenSSL configuration evaluation on the
machine. That said, the behavior is released now and Pex stands behind
it.

It may make sense to add a --strict-ssl option or something similar to
restore the old behavior and let the (confusing) error bubble, perhaps
with a pointer to what may be wrong.

This should also serve to close
indygreg/python-build-standalone#207 or at
least give Gregory enough information to decide what to do over in PBS.

Closes the loose ends in #2355.

[jsirois]

@mjimlittle and @xlevus, I'd appreciate your eyes on the big comment added in this PR. In short, it explains that your RedHat systems use a RedHat proprietary OpenSSL config option that only works with the patched OpenSSL that ships with the OSes you use. There is not much I can see that PBS Python's can do about this! That said, you should know that PBS Pythons are choking on your SSL Config on those machines and may only be partially configured / ignoring some of your settings.

[benjyw]

Thanks, that's painful.

[jsirois]

Thanks, that's painful.

Yeah, a bit. Always fun to learn more gdb though.

I'm not sure what Pants / scie-pants want to do about this, but I'll be adding a warning over in the science PBS provider docs about this potential security hole in PBS ssl. If you'd like to provide security-conscious Pants users the option to see these errors I'm happy to field a feature request / bug report about this silent bad SSL config dropping (i.e. add the --strict-ssl option I mentioned in the OP). I'm even happier to review a PR if any of you want to contribute that.