Jetty version
10.0.x

Description
During the TLS handshake, in case of needClientAuth, the client may send an invalid (e.g. expired) certificate.
The validation checks are performed by the TrustManager and if they fail there is no way to access the expired client certificate, for example in SslHandshakeListener.handshakeFailed(), as it is not exposed via SSLSession.getPeerCertificate(), etc.

The only option would be to wrap the TrustManager, but that requires subclassing SslContextFactory.Server and overriding getTrustManager(), whose signature is likely to change in light of #6054.

Would be great to have a more stable way to provide hooks into the TrustManager in a simpler way.