Support hostname verification to allow `verify-full` SSL/TLS connections

[hessjcg]

Feature Description

The Cloud SQL Python Connector currently only supports verify-ca as it's highest level of SSL/TLS client verification.

verify-ca: verify that the server is trustworthy by checking the certificate chain up to the root certificate

We are only getting verify-ca level of security due to hostname verification being disabled currently . https://github.com/GoogleCloudPlatform/cloud-sql-python-connector/blob/53e40c7dbec8f27e2e3e6e344bf87e08cf15c3e9/google/cloud/sql/connector/connection_info.py#L60-L61

We should support verify-full as it is the highest level of security.

verify-full: will also verify that the server host name matches the name stored in the server certificate

To do so we must support hostname verification.

For Public IP and PSA Private IP connections, the server certificate's subject CN field in the server certificate will contain the instance name in the form "{project}:{instance}". The python connector should validate that this is correctly set during the TLS handshake. The connector should reject the connection if this the server CN is not set correctly.

Unfortunately for PSC enabled and CAS-based instances hostname verification is not possible. This is due to the server certificates including the DNS name as a SAN which include a trailing dot ("."). Python's SSL does not allow trailing dots during hostname verification, it requires stripping them. This leads to hostname mismatch errors as the SAN is expecting a trailing dot.

See also: https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory/issues/1995