Implement self-signed TLS certificate handling for GnuTLS backend

[Copilot]

The GnuTLS backend lacked support for self-signed certificates, forcing clients to fail on untrusted CAs. This brings it to parity with the OpenSSL backend.

Changes

• Added cert_fingerprint_mismatch_callback: Extracts certificate subject, validity times, and SHA-256 fingerprint, then invokes the existing GetX509CertFingerprintMismatchDecision callback for user acceptance
• Modified verify_certificate_callback: On system CA validation failure, compares remote fingerprint against expected fingerprint (if provided), otherwise delegates to user callback
• Added rfbTLSVerifyData structure: Passes both expected fingerprint and client pointer through the GnuTLS verification chain
• Updated HandleVeNCryptAuth: Allocates and passes verification data to callback, with proper cleanup post-handshake
• Updated FreeX509Credential: Frees x509ExpectedFingerprint field

Usage

No API changes required. Clients using GetX509CertFingerprintMismatchDecision callback now work with GnuTLS backend:

rfbClient *client = rfbGetClient(8, 3, 4);
client->GetCredential = get_credential;
client->GetX509CertFingerprintMismatchDecision = handle_cert_decision;
rfbInitClient(client, &argc, argv);

The credential structure's x509ExpectedFingerprint field is now honored for fingerprint pinning with GnuTLS.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.