Centralize all the rustls code in ext/tls

[mmastrac]

Upgrading between rustls versions is made more complicated given that all of our TLS code is spread throughout various extensions and source files.

All the rustls-facing code should be in ext/tls, and we should use some lightweight newtype wrappers to insulate ourselves from upstream changes where possible.

The end result of this work will be that rustls itself will not be visible via crate exports to any code other than in ext/tls, and all code will use factory functions to create the appropriate ClientConfig for reqwest, and TlsStreams for ext/net, ext/weboscket and our test servers.

First TLS work:

• Add RootCertStore factory functions to ext/tls -- load a root store from the mozilla roots, the system roots or a CA file. These will be constructed in RootCertStoreProviders to avoid the overhead of TLS CA construction until they are used.
• Add RootCertStore newtype to ext/tls -- an opaque struct that allows us to update rustls in the background.
• Make all rustls-* exports private from ext/tls with the exception of TlsStream and TlsStream{Read,Write} and the RootCertStore newtype
• Add TlsStream and ClientConfig factory functions to ext/tls. These must support the various options required by ext/fetch (root_cert_store, ca_certs, unsafely_ignore_certificate_errors, client_cert_chain_and_key and ALPN)

Remainder of work:

• Update file_fetcher.rs to use RootCertStore from ext/tls
• Migrate cli/args.rs to use ext/tls factory functions
• Migrate LSP's language_server.rs to use ext/tls factory functions
• Migrate cert_tests.rs to use ext/tls factory functions for certificates and TlsStream
• Migrate ext/net ops_tls.rs to ext/tls factory functions
• Migrate ext/net raw.rs to ext/tls factory functions
• Migrate ext/websocket lib.rs to ext/tls factory functions
• Make test_util and test_server depend on ext/tls
• Migrate https.rs grpc.rs and hyper_utils.rs in test_util to use ext/tls factory functions

[bartlomieju]

Not really feasible unfortunately :(