Looking more closely, I'm going to hope curl is at fault and that this is actually "just" a CA list issue.
It's very unusual for any of this code to rely on "default" trust store handling but I'm wondering if this code is tripping on that for some reason. If so, it's likely due to the Let's Encrypt rollover, which is what test.shibboleth.net uses, and that's what those tests are hitting. -- Scott
