This PR introduces the ability to configure a policy for handling expired or not-yet-valid certificates presented during TLS handshakes (anywhere in the certificate chain).

Previously, the trust store could not be configured to reject or warn about such certificates. While surprising, this behavior aligns with RFC 3280 and related specifications.

With this change, users can now define the desired behavior using the following options:

• IGNORE – Matches the previous behavior, allowing expired or not-yet-valid certificates without warning.
• WARN – Logs a warning message when such certificates are detected in the chain (new default).
• REJECT – Rejects the handshake entirely if an expired or not-yet-valid certificate is encountered.