It seems in default rawhide configuration openssl is attempting to use hashed names from directory, where no hashed names are generated. I expect hashed names are more efficient than single file containing all certificates present. But if ca tooling is preparing that in some directory, I think default configuration should try that directory unless overriden manually. It seems that does not happen now.

Tested with: openssl-3.0.8-2.fc39.x86_64 ca-certificates-2023.2.60-2.fc38.noarch

Reproducible: Always

Steps to Reproduce:
1. strace -o openssl.strace openssl s_client -connect dns.google:853
2. grep /etc/pki openssl.strace
Actual Results:  
openat(AT_FDCWD, "/etc/pki/tls/openssl.cnf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/pki/tls/ct_log_list.cnf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/pki/tls/cert.pem", O_RDONLY) = 3
newfstatat(AT_FDCWD, "/etc/pki/tls/certs/c06d5c68.0", 0x7ffc8e6d9230, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/etc/pki/tls/certs", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
openat(AT_FDCWD, "/etc/pki/tls/certs", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4


Expected Results:  
hashed certificates should be tried at directory, where some hashed certificates resides. At least on current rawhide /etc/pki/tls/certs/ contains no hashed certificate with similar name. /etc/pki/ca-trust/extracted/pem/directory-hash/ seems to contain entries in similar format, but that directory is not tried according to strace.

Noticed this when triaged bug #2196699.

# ls -l /etc/pki/tls/certs/
total 0
lrwxrwxrwx. 1 root root 49 Jan 19 19:00 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Jan 19 19:00 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

# ls /etc/pki/ca-trust/extracted/pem/directory-hash/*.0 | wc -l
282