Add compile-time OpenSSL version configuration

[dagood]

• Same scenario as Add compile-time flag that enables FIPS mode and ignores GOFIPS=0 at runtime #928

The OpenSSL version is configured through env vars, but this could lead to problems if the env vars are changed.

If an app is built for OpenSSL 1.1.1+FIPS and someone uses a tag that has both OpenSSL 1.1.1+FIPS and 3.0 (non-FIPS) installed, the OpenSSL backend will find 3.0 and not be able to enable FIPS mode. This can be fixed using GO_OPENSSL_VERSION_OVERRIDE at runtime, but the dependency on an env variable is undesirable.

[qmuntal]

I'm not sure if this really adds value to downstream users. Our main runtime target is CBL-mariner, and I would expect them to globally set GO_OPENSSL_VERSION_OVERRIDE pointing to the vetted (and FIPS-capable) OpenSSL version, so OpenSSL upgrades would be transparent to applications and wouldn't need to be recompiled. If CBL-mariner is not doing that yet, we should teach them about this feature.

For those users not using CBL-Mariner, I would rather improve the automatic OpenSSL version selection mechanism so it skips versions that don't support FIPS.

[dagood]

Hmm, the overall approach of the original ask was basically no dependence on env vars, but I hadn't considered the distro itself setting them. That's an interesting option, will need to see what our users think about that. I wonder if someone might clear out the env manually in a minimal container--even env set by the distro. (Since it's a runtime container rather than build container, they might not even need PATH.)

Good point that addressing the actual potential issue is probably the best thing to do here for the general case.