p11_child: add 'soft_ocsp' and 'soft_crl options
To make the checks for revoked certificates more flexible if the system
is offline this patch add the new values for the
'certificate_verification' option. With 'soft_ocsp' the OCSP check is
skipped if the OCSP responder cannot be connected. With 'soft_crl' an
expired CRL will be ignored.
If a certificate is considered valid dues to one of those option a
syslog message is generated to indicate that the certificate was allowed
because the check if the certificate was revoked was ignored.
Related to https://pagure.io/SSSD/sssd/issue/3677
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>