+}
+
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+/* Invalidate the creds cached, by dropping the current ones.
+Call when we notice one of the source files has changed. */
+
+static void
+tls_server_creds_invalidate(void)
+{
+if (state_server.lib_state.pri_cache)
+ gnutls_priority_deinit(state_server.lib_state.pri_cache);
+state_server.lib_state.pri_cache = NULL;
+
+if (state_server.lib_state.x509_cred)
+ gnutls_certificate_free_credentials(state_server.lib_state.x509_cred);
+state_server.lib_state = null_tls_preload;
+}
+
+
+static void
+tls_client_creds_invalidate(transport_instance * t)
+{
+smtp_transport_options_block * ob = t->drinst.options_block;
+if (ob->tls_preload.x509_cred)
+ gnutls_certificate_free_credentials(ob->tls_preload.x509_cred);
+ob->tls_preload = null_tls_preload;
+}
+#endif
+
+
+/*************************************************
+* Variables re-expanded post-SNI *
+*************************************************/
+
+/* Called from both server and client code, via tls_init(), and also from
+the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
+
+We can tell the two apart by state->received_sni being non-NULL in callback.
+
+The callback should not call us unless state->trigger_sni_changes is true,
+which we are responsible for setting on the first pass through.
+
+Arguments:
+ state exim_gnutls_state_st *
+ errstr error string pointer
+
+Returns: OK/DEFER/FAIL
+*/
+
+static int
+tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
+{
+int rc;
+const host_item *host = state->host; /* macro should be reconsidered? */
+const uschar *saved_tls_certificate = NULL;
+const uschar *saved_tls_privatekey = NULL;
+const uschar *saved_tls_verify_certificates = NULL;
+const uschar *saved_tls_crl = NULL;
+int cert_count;
+
+/* We check for tls_sni *before* expansion. */
+if (!host) /* server */
+ if (!state->received_sni)
+ {
+ if ( state->tls_certificate
+ && ( Ustrstr(state->tls_certificate, US"tls_sni")
+ || Ustrstr(state->tls_certificate, US"tls_in_sni")
+ || Ustrstr(state->tls_certificate, US"tls_out_sni")
+ ) )
+ {
+ DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI\n");
+ state->trigger_sni_changes = TRUE;
+ }
+ }
+ else /* SNI callback case */
+ {
+ /* useful for debugging */
+ saved_tls_certificate = state->exp_tls_certificate;
+ saved_tls_privatekey = state->exp_tls_privatekey;
+ saved_tls_verify_certificates = state->exp_tls_verify_certificates;
+ saved_tls_crl = state->exp_tls_crl;
+ }
+
+if (!state->lib_state.x509_cred)