Minimal client-side support for TLS via NSS
When porting libtor-tls to NSS, we'll start with client-side support for our TLS features. This will only have to include originating connections, and only with the most recent link handshake. It won't need any key export support at all.
At this point, we can have "--enable-nss" imply "--disable-openssl", and also have it imply that ORPort cannot be set (since you can't be a Tor server with this minimal TLS support.)