fix(server): fix client certificate verification

In d0c4916fe9 the TLS CA Certificate
verification broke.

This was bisected using the following basic test:

```
./bin/etcd -f -name machine0 -data-dir machine0 -ca-file=/tmp/ca/ca.crt -cert-file=/tmp/ca/server.crt -key-file=/tmp/ca/server.key.insecure
```

And in another window doing

```
curl --key /tmp/ca/server2.key.insecure  --cert /tmp/ca/server2.crt -k -L https://127.0.0.1:4001/v2/keys/foo -XPUT -d value=bar -v
```

Before merging this PR there are a few things that need to be fixed up:

1) Tests for client certs both positive and negative
2) Refactor (or at least documentation of) the TLSConfig types

etcd.go

@@ -135,7 +135,7 @@ func main() {
 
 	var psListener net.Listener
 	if psConfig.Scheme == "https" {
-		psListener, err = server.NewTLSListener(info.RaftListenHost, info.RaftTLS.CertFile, info.RaftTLS.KeyFile)
+		psListener, err = server.NewTLSListener(&tlsConfig.Server, info.RaftListenHost, info.RaftTLS.CertFile, info.RaftTLS.KeyFile)
 	} else {
 		psListener, err = server.NewListener(info.RaftListenHost)
 	}
@@ -165,7 +165,7 @@ func main() {
 
 	var sListener net.Listener
 	if tlsConfig.Scheme == "https" {
-		sListener, err = server.NewTLSListener(info.EtcdListenHost, info.EtcdTLS.CertFile, info.EtcdTLS.KeyFile)
+		sListener, err = server.NewTLSListener(&tlsConfig.Server, info.EtcdListenHost, info.EtcdTLS.CertFile, info.EtcdTLS.KeyFile)
 	} else {
 		sListener, err = server.NewListener(info.EtcdListenHost)
 	}

server/listener.go

@@ -16,11 +16,15 @@ func NewListener(addr string) (net.Listener, error) {
 	return l, nil
 }
 
-func NewTLSListener(addr, certFile, keyFile string) (net.Listener, error) {
+func NewTLSListener(config *tls.Config, addr, certFile, keyFile string) (net.Listener, error) {
 	if addr == "" {
 		addr = ":https"
 	}
-	config := &tls.Config{}
+
+	if config == nil {
+		config = &tls.Config{}
+	}
+
 	config.NextProtos = []string{"http/1.1"}
 
 	var err error