vtls: fix default SSL backend as a fallback

- Use build-time CURL_DEFAULT_SSL_BACKEND as a fallback when environment
  variable CURL_SSL_BACKEND contains a backend that is unavailable.

Prior to this change if CURL_SSL_BACKEND was set then
CURL_DEFAULT_SSL_BACKEND was ignored even if the backend of the former
was unavailable. In that case libcurl would instead select the first
available backend in the list of backends.

Bug: https://github.com/curl/curl/issues/16076#issuecomment-2617354254
Reported-by: Jeroen Ooms

Closes https://github.com/curl/curl/pull/16108

lib/vtls/vtls.c

@@ -1113,8 +1113,8 @@ static size_t multissl_version(char *buffer, size_t size)
 
 static int multissl_setup(const struct Curl_ssl *backend)
 {
-  const char *env;
-  char *env_tmp;
+  int i;
+  char *env;
 
   if(Curl_ssl != &Curl_ssl_multi)
     return 1;
@@ -1127,25 +1127,31 @@ static int multissl_setup(const struct Curl_ssl *backend)
   if(!available_backends[0])
     return 1;
 
-  env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
-#ifdef CURL_DEFAULT_SSL_BACKEND
-  if(!env)
-    env = CURL_DEFAULT_SSL_BACKEND;
-#endif
+  env = curl_getenv("CURL_SSL_BACKEND");
   if(env) {
-    int i;
     for(i = 0; available_backends[i]; i++) {
       if(strcasecompare(env, available_backends[i]->info.name)) {
         Curl_ssl = available_backends[i];
-        free(env_tmp);
+        free(env);
         return 0;
       }
     }
   }
 
+#ifdef CURL_DEFAULT_SSL_BACKEND
+  for(i = 0; available_backends[i]; i++) {
+    if(strcasecompare(CURL_DEFAULT_SSL_BACKEND,
+                      available_backends[i]->info.name)) {
+      Curl_ssl = available_backends[i];
+      free(env);
+      return 0;
+    }
+  }
+#endif
+
   /* Fall back to first available backend */
   Curl_ssl = available_backends[0];
-  free(env_tmp);
+  free(env);
   return 0;
 }