I don’t know if the “already-cached” problem is relevant for macOS. It would still be better to find a way to explicitly use system certificate validation because the system has features that might not map nicely onto OpenSSL’s CA model (such as being able to override the system policy for trusting certificates).