gnutls: fix an upstream regression in RSA certificates

The update to 3.8.5 involved adding a feature to conditionally
disable RSAES-PKCS1-v1.5 [1]. It was intended to be turned on
by default [2], but failed [3].
Therefore it is disabled, which in turn throws a new error:
"Fatal error: The encryption algorithm is not supported". (error 113).

This can have severe implications, as for example Lets Encrypt
signed RSA certificates aren't trusted anymore.

This commit fetches the upstream patch, which hasn't been included
in 3.8.5

[1]: https://gitlab.com/gnutls/gnutls/-/merge_requests/1828
[2]: https://gitlab.com/gnutls/gnutls/-/merge_requests/1828/diffs#cd5a2ba3b145c1bd292e027ef84c618b6b7fb895_267_274
[3]: https://gitlab.com/gnutls/gnutls/-/issues/1540

Signed-off-by: Florian Brandes <florian.brandes@posteo.de>

pkgs/development/libraries/gnutls/default.nix

@@ -85,6 +85,16 @@ stdenv.mkDerivation rec {
       revert = true;
       hash = "sha256-r/+Gmwqy0Yc1LHL/PdPLXlErUBC5JxquLzCBAN3LuRM=";
     })
+    # Makes the system-wide configuration for RSAES-PKCS1-v1_5 actually apply
+    # and makes it enabled by default when the config file is missing
+    # Without this an error 113 is thrown when using some RSA certificates
+    # see https://gitlab.com/gnutls/gnutls/-/issues/1540
+    # "This is pretty sever[e], since it breaks on letsencrypt-issued RSA keys." (comment from above issue)
+    (fetchpatch2 {
+      name = "fix-rsaes-pkcs1-v1_5-system-wide-configuration.patch";
+      url = "https://gitlab.com/gnutls/gnutls/-/commit/2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d.diff";
+      hash = "sha256-2aWcLff9jzJnY+XSqCIaK/zdwSLwkNlfDeMlWyRShN8=";
+    })
   ];
 
   # Skip some tests: