It looks like depending on who initializes OpenSSL (KRPC or us), the behavior changes. After some cherry-picks, we're unable to run Impala on remote clusters with TLS with certain certificate types.
We get the following when we use intermediate CAs:
And we get the following when we use self-signed certificates:
"self signed certificate in certificate chain"