Add missing variable length cipher flag for Blowfish.

Only use trust settings if either trust or reject settings
are present, otherwise use compatibility mode. This stops
root CAs being rejected if they have alias of keyid set.