Is your feature request related to a problem? Please describe.
When using publicly signed client certificates, we need some way to limit the keys that we trust (otherwise any publicly signed cert would work). This is generally achieved by specifying a set of SHA(1|256) fingerprints to trust (e.g. https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/56#tls-options-trusted-keys ).

Describe the solution you'd like
I'd like to introduce a new option into configtls, TrustedKeys []string, which would introduce a VerifyPeerCertificate callback to the TLS config that rejects the TLS connection if the key hash is not in the list of trusted keys

Describe alternatives you've considered
We could use privately signed certs, but publicly signed client certs is a relatively common occurance