Require peer certificate when `ca_cert_file` is specified in ssl_context

[lookuptable]

Currently when the ca_cert_file is specified without verify_subject_alt_name or verify_certificate_hash in ssl_context, the SSL connection can still be successfully established when the peer does NOT present a certificate. This behavior may not be desirable as a peer without a valid cert and a peer with valid cert are treated equally and both can successfully establish a connection.

We should change it such that a peer must present a verifiable cert when ca_cert_file is set. With this change, the following cases can be supported:

• No ca_cert_file: allow any peer
• Only set ca_cert_file: allow peers with valid certs
• ca_cert_file and verify_certificate_hash: allow peers with valid certs of a particular hash
• ca_cert_file and verify_subject_alt_name: allow peers with valid certs and the SAN must match

[lookuptable]

@mattklein123 can you please assign this issue to me?

[mattklein123]

@lookuptable have at it, and please sign CLA when you get a chance.

[lookuptable]

I have signed CLA when submitting a PR here last time :)

[PiotrSikora]

@mattklein123 could you re-open this, since the change was reverted in #668?

[PiotrSikora]

@mattklein123 can you re-assign this to me? Thanks!