GnuTLS: Bump minimum version to 3.3.0

Every supported distribution has at least the 3.3 branch of GnuTLS
(stable branch starting in April 2014). That branch was maintained
for bug-fixes until July 2018, so some distributions (e.g. RHEL7,
SUSE Enterprise 12) are still on it, keeping us from requiring 3.4 yet.
Also clarify a comment about when the Mac OS build of gnutls started
being compiled with pkcs11 support.

CMakeLists.txt

@@ -1132,7 +1132,7 @@ reset_find_package(SMI SMI_SHARE_DIR)
 ws_find_package(SMI ENABLE_SMI HAVE_LIBSMI)
 
 # Support for TLS decryption using RSA private keys.
-ws_find_package(GNUTLS ENABLE_GNUTLS HAVE_LIBGNUTLS "3.2.0")
+ws_find_package(GNUTLS ENABLE_GNUTLS HAVE_LIBGNUTLS "3.3.0")
 
 # Kerberos
 ws_find_package(KERBEROS ENABLE_KERBEROS HAVE_KERBEROS)
@@ -1239,7 +1239,7 @@ if(GNUTLS_FOUND AND NOT GNUTLS_VERSION VERSION_LESS "3.4.0")
 	# 3.4.0 or greater.
 	#
 	# Check that the support is present in case GnuTLS was compiled
-	# --without-p11-kit as macos-setup.sh did until recently.
+	# --without-p11-kit as macos-setup.sh did until December 2020.
 	include(CheckSymbolExists)
 	cmake_push_check_state()
 	if(WIN32)

epan/secrets.c

@@ -186,15 +186,11 @@ get_pkcs11_token_uris(void)
             continue;
         }
 
-#if GNUTLS_VERSION_NUMBER >= 0x030300
         // The "Trust module" is useless for decryption, so do not return it.
-        // We can only check this in GnuTLS 3.3.0, older versions lack this flag
-        // and thus we will just return some useless keys.
         if ((flags & GNUTLS_PKCS11_TOKEN_TRUSTED)) {
             gnutls_free(uri);
             continue;
         }
-#endif
 
         tokens = g_slist_prepend(tokens, g_strdup(uri));
         gnutls_free(uri);