tls: release connection state on close and cache ServerConfig

tls: release connection state on close and cache ServerConfig

Closing a TLS or TCP stream previously only shut down the socket /
sent close_notify without dropping the arena-allocated payload, so the
rustls ServerConnection (and its buffers) lingered until the arena was
garbage-collected. For a server negotiating a fresh TLS connection per
request, this caused resident memory to climb steadily. Call
drop_payload() in Stream::close for the NamedTcp and NamedTls variants
so the underlying resources are freed immediately, matching the file,
byte and pipe stream variants.

Additionally, tls_accept_client rebuilt a ServerConfig on every
connection, re-parsing the certificate chain and private key each time.
Cache the most recently built config keyed by the raw cert/key bytes
and reuse it, avoiding the repeated parse and allocation.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>