Description of problem:
tlsm_auth_cert_handler calls SSL_PeerCertificate to get the peer's cert from the socket.  This cert must be freed with CERT_DestroyCertificate.

You can see this problem using valgrind with ldapsearch -ZZ.  You will see memory leaks like this:

==23056== 48 bytes in 1 blocks are possibly lost in loss record 45 of 110
==23056==    at 0x4A04A28: calloc (vg_replace_malloc.c:467)
==23056==    by 0x30AF675479: nss_ZAlloc (arena.c:892)
==23056==    by 0x30AE601A8E: PL_HashTableRawAdd (plhash.c:265)
==23056==    by 0x30AF676C53: nssHash_Add (hash.c:259)
==23056==    by 0x30AF66C7C7: nssCertificateStore_FindOrAdd (pkistore.c:192)
==23056==    by 0x30AF6691B1: NSSCryptoContext_FindOrImportCertificate (cryptocontext.c:146)
==23056==    by 0x30AF664A17: CERT_NewTempCertificate (stanpcertdb.c:456)
==23056==    by 0x30B0212ED3: ssl3_HandleHandshakeMessage (ssl3con.c:7850)
==23056==    by 0x30B0213E2F: ssl3_HandleRecord (ssl3con.c:8727)
==23056==    by 0x30B02148CB: ssl3_GatherCompleteHandshake (ssl3gthr.c:209)
==23056==    by 0x30B0217168: ssl_GatherRecord1stHandshake (sslcon.c:1258)
==23056==    by 0x30B021CF14: ssl_Do1stHandshake (sslsecur.c:151)
==23056==    by 0x30B021E67E: SSL_ForceHandshake (sslsecur.c:407)
==23056==    by 0x30B32349E4: tlsm_session_accept_or_connect (tls_m.c:2350)
==23056==    by 0x30B3233571: ldap_int_tls_connect (tls2.c:366)
==23056==    by 0x30B32337DC: ldap_int_tls_start (tls2.c:833)
==23056==    by 0x30B323394D: ldap_start_tls_s (tls2.c:939)
==23056==    by 0x40B798: tool_conn_setup (common.c:1290)
==23056==    by 0x4069A7: main (ldapsearch.c:900)

In other applications that use Mozilla NSS, you will see errors in NSS_Shutdown and NSS_Initialize - NSS_Shutdown will fail because the cert objects are cached, and the cache cannot be freed because there is still an outstanding reference.