fix: Propagate ECH keys to the QUIC listener

[steadytao]

Touches a small follow-up to #7653.

Summary

This preserves ECH handling on the QUIC / HTTP/3 path by forwarding GetEncryptedClientHelloKeys through Caddy's shared QUIC TLS config.

#7653 fixes the HTTPS RR alpn omission but that was only part of the problem. Found in #7667, QUIC was still rebuilding a minimal TLS config with GetConfigForClient only which meant the HTTP/3 listener could not process ECH even though the normal TLS path could.

This change keeps the existing shared-config model for QUIC listeners and adds the missing ECH key callback so the QUIC path sees the same ECH-capable behaviour as the TCP TLS path.

Tests

Added a listener regression test to verify:

• shared QUIC state exposes the active config's ECH keys
• ECH key lookup follows active config changes

go test . -run TestSharedQUICStateGetEncryptedClientHelloKeys -v
go test . -run "Test(SplitNetworkAddress|JoinNetworkAddress|ParseNetworkAddress|SharedQUICStateGetEncryptedClientHelloKeys)$" -count=1

Should close #7667.

Assistance Disclosure

No AI was used.

[mholt]

Huh, thanks. Makes sense I guess!