On rehandshake automatically check whether the peers certificate has changed
Several TLS attacks (such a unsafe renegotiation based ones) depend on the servers or clients not checking the peer's certificate on a rehandshake. As the rehandshake when a certificate has already been presented is only used for rekey, it would be natural for gnutls to check the peers certificate and ensure it remained the same.