Fix GnuTLS interactive prompt short-circuiting.

tls_verify_peers() doesn't verify expiration dates.  So aborting early
because of a 0 certstat and the leaf passing tls_check_preauth() does
not mean subsequent intermediate certs are okay: they could be
expired.

In the saved-cert preauth loop, instead of just noting the
tls_check_preauth() rc for the leaf, note the highest cert that passes
preauth.

Then, in the interactive loop (which goes in the opposite order, from
CA to leaf) check that value instead.  Since we are trusting certs one
by one, anything that passed in the previous loop will certainly pass
the preauth check at the beginning of tls_check_one_certificate().