do not tolerate DER encoded certificates with invalid time format
GnuTLS was modified with 3.5.13 to be able to parse certificates generated by openssl which contain invalid time encoding. This was done to account for private infrastructures depending on such invalid certificates. We should reconsider this approach, especially once openssl no longer generates such certificates. This bug was set to a due date as a reminder for this re-consideration.