Improve handling of TLS certificate pinning

[simitt]

elastic/go-elasticsearch#358 added certificate pinning when talking to Elasticsearch. The current implementation has some limitations though:

• The certificate pinning is only applied to *http.Transport instances, excluding transports that are wrapped by some other logic, for example when wrapped by the apm go agent.
• when applied, the given DialTLS function is replaced by the go-elasticsearch agent function, only checking the TLS fingerprint (https://github.com/elastic/go-elasticsearch/blob/main/estransport/estransport.go#L157-L181).
• InsecureSkipVerify is set to true when checking the fingerprint, not considering potentially configured CA certs at this point.
• It only supports one fingerprint

[Anaethelion]

Transferring this issue to elastic/elastic-transport-go to continue the work there!

[mfelipe]

Just to add another example, is not possible to use DataDog tracer with CA certificates for the same reason explained by @simitt in the first item. I know it's been more than two years, but can you guys come back to it? I can help if necessary. Thanks!