This is not a final decision, but here's a quick summary of some of the discussions we've been having so far in order to find the best way to solve this issue.
@indutny's change, while it seems reasonable and fixes this specific issue with s3.amazonaws.com, hasn't been tested thoroughly. Thus, releasing a new version with this change seems a bit too early.
For users who need to connect to s3.amazonaws.com, a workaround would be to specify the (now) missing unsafe CA certificate as an additional certificate to trust. The request module, and the built-in https and tls modules support that. Of course, there are critical security implications when doing that, and we would document them in details.
The current candidate fix could then be thoroughly tested and make it into the next stable release once we're confident that it doesn't break more sites than it fixes.