Make FF_RESOLVE_FULL_TLS_CHAIN=false the default
We added the FF_RESOLVE_FULL_TLS_CHAIN
feature flag in !3699 (merged) to address TLS verification issues on macOS since macOS stopped allowing SHA-1 certificates (#29373 (closed)).
However, this feature flag can probably be set to false
now that most runners are using a fairly recent version of libcurl
. libcurl v7.68 has since fixed the behavior to trust a certificate authority that is not self-signed (https://github.com/curl/curl/commit/94f1f771586913addf5c68f9219e176036c50115). As a result, the need to resolve the full chain is no longer necessary. As long as there is a trusted certificate authority in the chain, the TLS connection can proceed.
This would also help avoid needing to decode certificates in the first place (https://gitlab.com/gitlab-org/gitlab-runner/-/issues/36318).