SSL fixes:
- don't moan about certificate CN mismatch unless verbose or sslcertck set
- honour sslcertpath even if sslcertck is not set (because fetchmail -v
  can still give useful information about certificate validity even if we're
  not strictly enforcing it)

--- socket.c.orig	Fri Oct 10 11:32:15 2003
+++ socket.c	Mon Apr 19 09:28:05 2004
@@ -808,9 +808,10 @@
 						p2 += n;
 				}	
 				if (0 != strcasecmp(p1, p2)) {
-					report(stderr,
-					    GT_("Server CommonName mismatch: %s != %s\n"),
-					    buf, _ssl_server_cname );
+					if (strict || outlevel == O_VERBOSE)
+						report(stderr,
+						    GT_("Server CommonName mismatch: %s != %s\n"),
+						    buf, _ssl_server_cname );
 					if (ok_return && strict)
 						return (0);
 				}
@@ -960,13 +961,13 @@
 
 	if (certck) {
 		SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER, SSL_ck_verify_callback);
-		if (certpath)
-			SSL_CTX_load_verify_locations(_ctx, NULL, certpath);
 	} else {
 		/* In this case, we do not fail if verification fails. However,
 		 *  we provide the callback for output and possible fingerprint checks. */
 		SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER, SSL_nock_verify_callback);
 	}
+	if (certpath)
+		SSL_CTX_load_verify_locations(_ctx, NULL, certpath);
 	
 	_ssl_context[sock] = SSL_new(_ctx);