Patch GnuTLS in 1.16 branch to handle certificate chain expiration

From https://mail.gnome.org/archives/desktop-devel-list/2020-June/msg00000.html

an important root CA expired yesterday, leading to a large number of certificate verification failures in applications that use GnuTLS [1][2].

...

1. https://gitlab.com/gnutls/gnutls/-/issues/1008
2. https://bugzilla.redhat.com/show_bug.cgi?id=1842174

The patch we need to apply is https://gitlab.com/gnutls/gnutls/-/merge_requests/1271.patch

GnuTLS in 1.16 is currently 3.5.18. We cannot update that to 3.6.x because I already tried that and it involved too many changes. So we should backport that patch. We can also update to 3.5.19 while we're at it (won't fix this issue, but it has other security fixes).