Number of suggested ciphersuites when 0-RTT is enabled

[hanno-becker]

If MBEDTLS_ZERO_RTT is enabled, the client only sends a single ciphersuite at the moment, which has two potential issues:

1. As far as I understand, this isn't prescribed by the spec, is it? For servers not supporting 0-RTT / PSKs, it would still be beneficial to offer a range of ciphersuites to increase the chances that a full handshake can be performred.
2. Currently, the code is solely compile-time guarded by MBEDTLS_ZERO_RTT, and not by the runtime configuration indicating if the client actually aims to use 0-RTT.