security/mbedtls4: Apply upstream fix for a TLS 1.2 client regression

TLS 1.2 client regression that caused valid ServerKeyExchange signatures
using rsa_pss_rsae_* to be rejected:
https://github.com/Mbed-TLS/mbedtls/issues/10668
https://github.com/Mbed-TLS/mbedtls/commit/5fc28f401666f3ab3338168f6dcee71e6b468a4e

While at it, add a DEBUG option that was useful to figure out the
problem.

PR: 294776
Sponsored by: UNIS Labs
Co-authored-by: Vladimir Druzenko <vvd@FreeBSD.org>
MFH: 2026Q2

(cherry picked from commit 12d2ebc10b688232d9e0928c180512d30d445414)