find_x509_credentials doesn't validate X509_USER_* files

As documented:

If the X509_USER_{CERT,KEY,PROXY} variables are set, their paths are not validated in any way, but are trusted to point at valid, non-expired credentials. The default paths in /tmp and globus are validated before being returned.

However, users are tripping over this, so we should consider changing the behaviour.