ACME: tls-alpn-01 challenge implementation

[bavshin-f5]

tls-alpn-01 challenge is supposed to be processed by a TLS-enabled listener on port 443.

There are two important details to consider:

1. A TCP load-balancer in front of NGINX may send the traffic to a different port. The stream pass directive can play a similar role. Thus, we should not make an assumption about a listener object that receives the connection, and should configure all the SSL listener objects to accept the challenge verification requests.
2. The challenge implementation requires accepting the acme-tls/1 ALPN protocol and sending a certificate with key authorization extension in response. Either requires bypassing the regular NGINX SSL callbacks. In addition, we'd want to avoid handling the challenge on a server with client authentication enabled.

And that's how we arrived to the implementation in this PR: create a new server SSL_CTX, filter the connections in the ClientHello callback and switch to the new context if necessary.

Remaining items:

• BoringSSL/AWS-LC support via SSL_CTX_set_select_certificate_cb
• Coordination with SNI: using ClientHello callback. nginx#562
• Normalize identifiers for lookup: lowercase DNS names, parse in-addr.arpa/ip6.arpa as specified in RFC8738 § 6

[github-actions]

✅ All required contributors have signed the F5 CLA for this PR. Thank you!
_{Posted by the CLA Assistant Lite bot.}

[bavshin-f5]

I have hereby read the F5 CLA and agree to its terms