The mbedtls module provides an undocumented getpeercert method. I'd like to remove it and replace it with a callback passed into wrap_socket. Since it's undocumented, there should be no harm, right? :-) :-)

Why would I want to do this? Well, https://tls.mbed.org/kb/how-to/reduce-mbedtls-memory-and-storage-footprint says:

By default, Mbed TLS saves a copy of the peer certificate for the lifetime of an SSL session and makes it available through the public API mbedtls_ssl_get_peer_cert(). If the application does not need to inspect the peer certificate, disabling the compile-time option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE saves RAM as the SSL module will not keep a copy of the peer certificate after the handshake. The API mbedtls_ssl_get_peer_cert() to obtain the peer certificate is still present, but always returns NULL.

I just took a random sample: the peer cert for micropython.org is 1363 bytes long. I only created the socket, connected, and wrapped it and at some point there were only 4.7KB free in the esp-idf heaps... So those 1363 bytes do count IMHO.

Why do I want to add a callback? That doc further says:

If you need to inspect the peer certificate during or immediately after the handshake, you may still disable MBEDTLS_SSL_KEEP_PEER_CERTIFICATE and inspect the certificate through a verification callback instead. A verification callback is a function called during the verification of the peer certificate chain and can be registered via mbedtls_ssl_conf_verify().

I'm happy to submit a PR for this, thoughts on how to navigate the deprecation of the getpeercert method?