Hi, see bug 548436. In NSS 3.17.3 roots like GTE CyberTrust Global Root were removed. Applications using <openssl-1.0.1o won't be able to verify SSL hosts using certs from these roots (like FB's akamai CDN). When we RDEPEND on an openssl version which supports alternative certificate paths we would guarantee that people won't use a incompatible cert store (=forcing openssl upgrades, because we have multiple versions in tree). See this discussion (http://thread.gmane.org/gmane.linux.gentoo.devel/88762) regarding the recommendation for specifying minimal version numbers.
should be all set now in the tree; thanks for the report! Commit message: Force newer openssl so alternative certificate paths work smoothly http://sources.gentoo.org/app-misc/ca-certificates/ca-certificates-20141019.3.17.4.ebuild?r1=1.1&r2=1.2 http://sources.gentoo.org/app-misc/ca-certificates/ca-certificates-20141019.3.19.ebuild?r1=1.2&r2=1.3