Patch GnuTLS in 1.16 branch to handle certificate chain expiration
From https://mail.gnome.org/archives/desktop-devel-list/2020-June/msg00000.html
an important root CA expired yesterday, leading to a large number of certificate verification failures in applications that use GnuTLS [1][2].
...
The patch we need to apply is https://gitlab.com/gnutls/gnutls/-/merge_requests/1271.patch
GnuTLS in 1.16 is currently 3.5.18. We cannot update that to 3.6.x because I already tried that and it involved too many changes. So we should backport that patch. We can also update to 3.5.19 while we're at it (won't fix this issue, but it has other security fixes).