Hardening: clean up TlsTransportPlugin and surface unverified peers

[rzo1]

Three small cleanups in TlsTransportPlugin, none of which change runtime behavior on the live path:

• Extract "CN=ANONYMOUS" into an ANONYMOUS_PRINCIPAL_NAME constant so it can be grepped for when auditing authorizer rules.
• Raise the SSLPeerUnverifiedException log from debug to warn. The branch is only reachable when client auth is disabled at the transport layer (nimbus/supervisor.thrift.tls.client.auth.required = false), but when it does fire it is worth seeing in production logs.
• Remove the dead TSSLTransportParameters wiring in getServer(). The params object was built with keystore/truststore settings and requireClientAuth(true), but never passed to ReloadableTsslTransportFactory.getServerSocket — the real SSL context is built inside the factory from the ThriftConnectionType and conf. Keep the eager keystore/truststore presence checks so misconfiguration still fails fast with a clear message, and prune the now-unused TSSLTransportFactory and SecurityUtils imports.