What this patch actually does is place existing certificates into a CertStore,
including those from its (untrusted) keystore, the trust store, and any from
the chain supplied by the peer, and then rebuild a chain back to a known trust
anchor (from the trust store).

This strategy will cope with unknown ICAs in chains, abbreviated chains, and so
on, and replaces attempts to specifically handle self-signed certificates.

That last said, there is an explicit shortcut to handle self-signed certificates
which are supplied as end-entity certificates. These are simply checked against
the trust store without any attempt to build a path.