tls: handle empty cert in checkServerIndentity

This resolves joyent/node#9272. tlsSocket.getPeerCertificate will return an empty object when the peer does not provide a certificate, but, prior to this, when the certificate is empty, checkServerIdentity would throw because the subject wasn't present on the cert. checkServerIdentity must return an error, not throw one, so this returns an error when the cert is empty instead of throwing a TypeError.