-spec validate_server(binary() | undefined, [binary()], [binary()] | undefined, binary() | undefined) ->
                         ok | {error, term()}.

Validate a server's certificate chain and identity.

Leaf is the server's end-entity certificate (DER). Intermediates are the remaining certificates sent by the peer (DER), in the leaf-to-root order they arrive on the wire. CaCerts are the trust anchors as a DER list, or undefined to use the OS trust store. ServerName is the expected identity (binary hostname or IP literal), or undefined to skip the hostname check.