Since this seems specific to GnuTLS, is there a way to change Exim to use OpenSSL? Removing ca-certificates is not an option for me, and this bug is pretty serious as it essentially blocks secure connection to Exim. Maybe use of GnuTLS should be reconsidered in stable if it seems prone to bugs.