There is also a race window that needs to be solved between the check and use of file. This can be solved by reading cert+key into memory, do checks and pass buffers to gnutls.
Fixed in commit r29056.
(In reply to comment #2)
> Fixed in commit r29056.
A few fixes done in commit 29057.
Looks good, possibly even a bit too paranoid. :)