After https://build.opensuse.org/request/show/424285 was added, anything using
the system CA certificate directory is broken on SLE_11_SP4 (simple test: 'npm
ping', which fails with 'Error: unable to get local issuer certificate').  npm
is unable to access the registry, and anything in Node making SSL connections
fails.

This appears to be because the certificate hashing algorithm changed between
openssl 0.9.8 (shipped in SLES 11) and 1.0+ (1.0.2 is bundled with Node.js) --
see the -subject_hash and -subject_hash_old options in x509(1ssl).  Running npm
under strace confirms this:
==== SLES 11 ====
npm http request GET https://registry.npmjs.org/-/ping?write=true
stat("/etc/ssl/certs/4a6481c9.0", 0x7fffdc5e9fb0) = -1 ENOENT (No such file or
directory)
stat("/etc/ssl/certs/73af33e2.0", 0x7fffdc5e9fb0) = -1 ENOENT (No such file or
directory)

==== Leap 42.1 ====
stat("/etc/ssl/certs/4a6481c9.0", {st_mode=S_IFREG|0444, st_size=1354, ...}) =
0ches userconfig)
====

On 42.1, that is a symlink to GlobalSign_Root_CA_-_R2.pem, which is indeed the
CA for registry.npmjs.org.  On SLES 11, however, the hash link is "111e6273.0",
which matches the "subject_hash_old":
====
leap421:/etc/ssl/certs $ openssl x509 -noout -subject_hash -subject_hash_old 
-in GlobalSign_Root_CA_-_R2.pem
4a6481c9
111e6273
====

Workarounds include copying the CA certificate directory from a Leap/SLE12
machine, or copying the SLE11 certs to a newer machine, running c_rehash, and
copying back (optionally to a new directory we point node at); this is better
than disabling 'strict-ssl' in npm but not great.

Since the system CA cert dir from SLE11 is not usable by the openssl bundled
with Node, it's probably best to disable the "use-system-ca-store" patch for
SLE11 and let Node.js use its built-in bundle.  I'll submit a request in OBS if
this is an acceptable solution.