Change HttpSys default client cert mode to Allow

[Tratcher]

#14839 introduced a new option to let you control how client certs are populated. It did not change the default behavior for compat reasons. In 5.0 we should change the default to Allow as to avoid a TLS renegotiation during a sync API (Connection.ClientCertificiate).

We should also change GetClientCertificateAsync to prefer the certificate in the request structure (if any) before triggering a renegotiation.

[Tratcher]

I confirmed in wireshark traces that GetClientCertificateAsync will not trigger a renegotiation if a cert was already provided at the start of a connection. In that case it should be safe to return the cert from the request structure if present. Even ClientCertificiate could do that if AllowRenegoation is enabled.

[analogrelay]

It looks like the default is already AllowRenegotiation, so is the proposal to change it to AllowCertificate?

[Tratcher]

Right, AllowCertificate. Also:

We should also change GetClientCertificateAsync to prefer the certificate in the request structure (if any) before triggering a renegotiation.