Spike to identify any gaps or required enhancements to support Ambient/ztunnel in downstream.

1. ztunnel is written on rustls, which allows for integration with various crypto providers. The ztunnel README lists "ring" and "boring" as available options, so we’ll need to verify if rustls also supports OpenSSL, and if not, explore what would be required to add support for it.
2. With Waypoint proxies (which use Envoy internally), does our existing downstream proxy support all Ambient use cases, or are there any gaps?