crypto/tls: don't recheck peer certificate validity on resumption if InsecureSkipVerify is set

[rolandshoemaker]

When we resume a session we check if the first element of peerCertificates is unpexired (by checking the Certificate.NotAfter field), even if Config.InsecureSkipVerify is set. This is slightly confusing, since we do not check any property of the certificate on the initial handshake when InsecureSkipVerify is set. This creates a somewhat confusing imbalance, where we are more strict during resumption than the initial handshake.

Currently, if the cert is expired, this will just cause a full handshake, and if the server sends the same certificate again we'll just accept it, since InsecureSkipVerify is set and we don't care. Removing the check will just mean we don't needlessly force another full handshake.

It seems reasonable to remove that check so that the initial handshake and resumption behave in the same way.

cc @FiloSottile

[rolandshoemaker]

Similarly on the server side, we do this if ClientAuth < VerifyClientCertIfGiven on resumption, but not during the initial handshake. Also seems plausible to remove this check.