Update openssl gem to 3.3.1

[Backport #21631]

Apply SSL options set in DEFAULT_PARAMS without clearing existing
options.

It currently clears options in order to avoid setting one of the
options included in OpenSSL::SSL::OP_ALL unless explicitly specified,
namely OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. Now that
OpenSSL::SSL::OP_ALL has been removed from SSLContext#initialize, it is
no longer necessary.

https://github.com/ruby/openssl/commit/77c3db2d65

Respect the SSL options set by default by SSL_CTX() and by the
system-wide OpenSSL configuration file.

OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL
on top of the default SSL options. Let's stop doing it.

OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior
to workaround various TLS implementation bugs. Using it is considered
usually safe, but is not completely harmless.

https://github.com/ruby/openssl/commit/00bec0d905

Companion to getbyte but raise EOFError
Similar to https://github.com/ruby/openssl/pull/438

https://github.com/ruby/openssl/commit/c40f70711a

https://github.com/ruby/openssl/commit/911a31335f

https://github.com/ruby/openssl/commit/c99d24cee9

We use the following site for that now:

* https://tools.ietf.org/ or http
* https://datatracker.ietf.org or http

Today, IETF said the official site of RFC is www.rfc-editor.org.

FYI: https://authors.ietf.org/en/references-in-rfcxml

I replaced them to www.rfc-editor.org.

(https://github.com/ruby/openssl/pull/714)

* Add support for IO#timeout.

https://github.com/ruby/openssl/commit/3bbf5178a9

When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup
does not raise an exception on an error return from
SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode
warning. This is not helpful since it very likely indicates an actual
error, such as the specified file not being readable.

Also, OpenSSL's error queue is not correctly cleared:

	$ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors'
	-e:1: warning: can't set verify locations
	["error:02001002:system library:fopen:No such file or directory",
	 "error:2006D080:BIO routines:BIO_new_file:no such file",
	 "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"]

The behavior is currently different when compiled with OpenSSL >= 3.0:
SSLError is raised if SSL_CTX_load_verify_file() or
SSL_CTX_load_verify_dir() fails.

This inconsistency was unintentionally introduced by commit https://github.com/ruby/openssl/commit/5375a55ffc35
("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22).
However, raising SSLError seems more appropriate in this situation.
Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way
as the OpenSSL >= 3.0 code currently does.

Fixes: https://github.com/ruby/openssl/issues/649

https://github.com/ruby/openssl/commit/7eb10f7b75

This reverts commit https://github.com/ruby/openssl/commit/fc4629d246f2.

The test case "test_connect_certificate_verify_failed_exception_message"
does want to check the reason behind a certificate verification failure
to be included in the exception message.

https://github.com/ruby/openssl/commit/c309745eb8