Currently we have options.client_certs as a per-site config
to enable mTLS. However, when mitmproxy is working as
a reverse proxy for a single server, there is no way for us
to generate client certificates for each client.

This is a very common scenario in kubernetes clusters.
The kube-apiserver is a REST server wtih RBAC enabled,
where mTLS is used to indicate the user/client.

Now mitmproxy have addons/tlsconfig.py, which is a
good start point. But client cert logic are embedded inside,
other addons cannot override them. This commit adds
make_certificate_builder and use_client_cert functions
so that addons can monkey patch them.

This commit introduces a new option tls_request_client_cert
as well to accept original client certificate.