I don't have a specific example, hence i said 'guess.'
It is just that I could use openssl s_client without needing -CApath before.

There are a couple of SSL/TLS issues I have, but I won't directly say are a result of the new OpenSSL. For example, since I update it and the corresponding qt4-x11, some https feeds aren't refreshing for me with cutenews, etc. I doubt it is related, but yeah

You could try to recompile cutenews with cssu packages. However it could be that cutenews need some patching. Or something with the certificates, or with qt something is not 100% ok.

So when recompiling did nothing then cutenews need more network connection debug output to analyse the problem. Sometimes redirection could be a pain.

After the rehash and restarting the console it should work also without -CApath.
Try to rehash without perl infront.

For my system and same openssl version it is working without the -CApath. Also myself compiled wget against new openssl is working without specifying --ca-directory=directory (Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.) and it works.
I could upload wget for >=cssu-testing+openssl 1.1.0h to openrepos if it is needed.

@sicelo

I recompiled cutenews and qmlbrowser with cssu-devel libqt4.
For cutenews I set QSsl::AnyProtocol and for qmlbrowser I set QSsl::SecureProtocols.

Both should now support TLS 1.1 and 1.2

If you like you can try them. I will try qmlbrowser when I find some time for it.

Thanks very much @Halftux. Even though my openssl still needs -CApath after the rehash without 'perl', it is really nice to see the updated qmlbrowser. https://howsmyssl.com now says it is Probably Okay, as opposed to Bad in the previous version. Thank you.

I will test my openssl situation properly later on.

Thats great.
Did you made this rehash as root?
From where do you starting openssl binary, from ssh or from osso-terminal? I will make also some test with openssl again and make a cross check.
I have also not so much experience with openssl 1.1.0h before I was using 1.0.1g + SNI patched libqt4 for cssu-testing.

@ sicelo

Ok you are right I have now a device where I installed openssl1.1.0 from scratch which it is not working without -CApath.

So this one is tricky can't remember what I did to the other device where it is working. I will dive into it. Stay tuned.

Ok here it is, I found the difference.

I created a "ssl.defs" file in "/etc/osso-af-init/". I will attach the file.
Furthermore I edited af-defines.sh in the same folder.

Add a new line around line 160(were other *.defs get loaded):
After the changes restart the N900.
Congratulation now you are finished and all console tools like openssl, ssh and wget should work without -CApath.

I think I did it when I had some problems with other openssl in the past, the date of the file is 12.04.2018 and now it helps.

Yay! That solved the issue, and I am ashamed it never occured to me to think about environment variables.

There are still lots of sites that won't open in qmlbrower or update in cutenews, but let me assume something changed in them. Will try downgrading qt4 though. Example feed that worked in cutenews up to the 29th September (around when I did the upgrade):

https://mybroadband.co.za/news/feed

Enabling cutenews' logging, I get:
Thank you very much for all you've uncovered!

No problem you are welcome I also want a bug free system so if somebody find something it is a big help too.

I need to have a look at the sources from libqt4 from repo, the patch at github looks smaller than I thought it would be.

Here as a goody:
I will attach wget and a libssl1.0.2 which you could use parallel with older openssl versions.
When you use openssl >=1.1.0h you should use the version from openrepos.
Both versions are only debianized and maemo optified. For the libssl1.0.2 I used the sources from ceene.

edit: post to wget for older openssl