we are trying to avoid using REQUIRED_USE as much as possible, since it provides a bad user experience. In Gentoo the common way to "select" a compatible ssl/tls implemention is just to prioritize them by reading USE flags. You've probably seen constructs like these:
gnutls? ( net-libs/gnutls:= )
!libressl? ( dev-libs/openssl:0= )
libressl? ( dev-libs/libressl:= )
This is correct. No REQUIRED_USE needed here. I'd like to suggest something similar to be done with s3fs.
Since it _requires_ an ssl/tls implementation to be enabled, the "+openssl" itself is bogus. That flag isn't even globally recognized, we use simple "ssl" to implicate there's ssl available (which often means openssl),
So here's my suggestion:
Depchain goes nss > gnutls > openssl.
if 'nss' is enabled, always prefer that.
if '-nss +gnutls', use gnutls.
if '-nss -gnutls', use openssl.
Then I'd personally pair "nettle" with "gnutls", but since it's an independent configure option, we can leave the
REQUIRED_USE="nettle? ( gnutls !nss )" in place.
This way you also drop the "openssl" flag, and if other tls implementations are disabled, default to it.