Security
   * When checking X.509 CRLs, a certificate was only considered as revoked if
     its revocationDate was in the past according to the local clock if
     available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
     certificates were never considered as revoked. On builds with
     MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
     example, an untrusted OS attacking a secure enclave) could prevent
     revocation of certificates via CRLs. Fixed by no longer checking the
     revocationDate field, in accordance with RFC 5280. Reported by
     yuemonangong in #3340. Reported independently and fixed by
     Raoul Strackx and Jethro Beekman in #3433.