plugin.api.websocket: use certifi's cacert.pem

[bastimeyer]

• Add certifi as a direct dependency (already defined by requests) and don't set a version range
• Set the ca_certs SSL option in WebsocketClient which defaults to the CA certs file bundled by certifi, similar to HTTPS requests made by requests

---

Resolves streamlink/streamlink-appimage#1

While requests uses the bundled cacert.pem CA certificates file by the certifi dependency (via certifi.where()) for all HTTPS requests being made by Streamlink (since Streamlink doesn't set any custom paths), websocket-client defaults to the system's CA certs which get loaded by OpenSSL. Depending on the system config, this can cause issues, and it's also inconsistent with HTTPS requests made by requests. Streamlink should therefore load the same cacert.pem when making secure websocket connections via websocket-client, like requests does for all HTTPS requests.

Similar to requests and its REQUESTS_CA_BUNDLE / CURL_CA_BUNDLE env vars, WEBSOCKET_CLIENT_CA_BUNDLE can be set to override the default path.

I have no idea though what changing this does to OpenSSL's SSL_CERT_FILE env var and whether this will still be supported.

• https://websocket-client.readthedocs.io/en/latest/faq.html#what-else-can-i-do-with-sslopts
• https://github.com/websocket-client/websocket-client/blob/v1.4.2/websocket/_http.py#L255-L273
• https://github.com/psf/requests/blob/v2.28.1/requests/utils.py#L58
• https://github.com/psf/requests/blob/v2.28.1/requests/sessions.py#L763-L770