Fix SSLCertificateIdentityVerifierTest for OpenSSL 1.1.1h

Summary:
This test was written in a way that relied on an internal OpenSSL implementation
detail -- that OpenSSL would invoke the `handshakeVer` callback on the
root certificate.

OpenSSL commit https://github.com/openssl/openssl/commit/e2590c3a162eb118c36b09c2168164283aa099b4, which
is part of OpenSSL 1.1.1h, alters the control flow of the X509_verify routine
such that the handshakeVer callback is no longer called on self-signed
certificates in the trust store (aka CA certificates).

The purpose of this test was to ensure that a forced failed verification on the
end entity certificate would elicit a particular behavior. This diff adjusts
the implementation to match the original intention and removes the reliance
on implementation detail specifics.

Differential Revision: D24183002

fbshipit-source-id: abc8337f76d3529966d276cae2337ad136456199

folly/io/async/test/AsyncSSLSocketTest.cpp

@@ -1449,15 +1449,22 @@ TEST(
   serverSock->sslAccept(nullptr, std::chrono::milliseconds::zero());
 
   StrictMock<MockHandshakeCB> clientHandshakeCB;
+
+  // Force the end entity certificate, which normally is successfully verified,
+  // to be considered as unsuccessful
   EXPECT_CALL(clientHandshakeCB, handshakeVerImpl(clientSock.get(), true, _))
-      // CA root certificate succeeds
-      .WillOnce(Return(true))
-      // leaf fails
-      .WillOnce(Return(false));
+      .Times(AtLeast(1))
+      .WillRepeatedly(Invoke([&](auto&&, bool preverifyOk, auto&& ctx) {
+        auto currentDepth = X509_STORE_CTX_get_error_depth(ctx);
+        if (currentDepth == 0) {
+          EXPECT_TRUE(preverifyOk);
+          return false;
+        }
+        return preverifyOk;
+      }));
 
   // failure callback to verify handshake failed
-  EXPECT_CALL(clientHandshakeCB, handshakeErrImpl(clientSock.get(), _))
-      .WillOnce(Return());
+  EXPECT_CALL(clientHandshakeCB, handshakeErrImpl(clientSock.get(), _));
 
   clientSock->sslConn(&clientHandshakeCB);