Add go 1.19

[MathieuBordere]

This PR introduces:

• Update SimpleTLSConfig: The current config doesn't seem to be compatible with go 1.19.6 making connections fail with write handshake: local error: tls: bad record MAC see e.g. here, don't know root cause yet and it's probably not a good idea to wait for a new go release if it would indeed be a bug in go (which it is probably not).
  The config in this PR fixes the issue. Anyone has an opinion on the proposed config in this PR?
• Run CI on Ubuntu 22.04.
• Disable running CI on Ubuntu 18.04
• Add go versions until 1.19 to CI.
• Fix some issues when upgrading to go 1.19.x
  • removing deadcode, overalls
  • used buffered channel for os.Signal
  • make sure there's only 1 Output comment at end of function

edit: Just removing the curve preferences from the config seems to also fix the issue, this is probably a safer bet than also forcing TLS 1.3

[MathieuBordere]

@tomponline @cole-miller Mostly just asking feedback on the updated SimpleTLSConfig, will do more research myself on possible consequences, but your input is very welcome.

[MathieuBordere]

My worry is a bit that current users could use certificates that are incompatible with TLS 1.3

I could do a sanity check on the provided cert and certpool, like setup a server and client with the provided config and see if I can setup a connection. If not, revert to TLS 1.2 or err out.

[tomponline]

CC @simondeziel may have a comment on this .

[tomponline]

Why 32 out of interest?

[MathieuBordere]

It can probably be a lot smaller, just took a large enough value. I don't think the overhead is significant as it's only in used in the demo and benchmark commands.

[tomponline]

Its fine, just I always wonder about "magic numbers" :)

[tomponline]

My worry is a bit that current users could use certificates that are incompatible with TLS 1.3

I could do a sanity check on the provided cert and certpool, like setup a server and client with the provided config and see if I can setup a connection. If not, revert to TLS 1.2 or err out.

I think I would be leaning towards removing as many of the explicitly set options as possible and relying on the defaults from Go as they change from version to version (thinking MinVersion, MaxVersion, CurvePreferences, PreferServerCipherSuites (deprecated), CipherSuites).

And then make that clear in the comment, and if a user needs specific config then they can create a custom config.

[simondeziel]

I quite like the simplification for the TLS server and client.

LXD 5.0+ requires TLS 1.3 unless LXD_INSECURE_TLS is set and that applies to both the server and the client.

[MathieuBordere]

@freeekanayaka maybe you have an opinion on the TLS configs?

[cole-miller]

I am very far from being a TLS guru, but I agree with @tomponline that removing explicitly set options (especially very technical stuff like preferred elliptic curves) from the config is a good idea, since we can trust the Go folks to pick solid defaults.

[freeekanayaka]

Why was this change needed? Has format of testable examples changed in Go 1.19? I would be very surprised.

[MathieuBordere]

go 1.19 only allows a single Output comment block and there is already one at the end of the function see e.g. this test run.

# github.com/canonical/go-dqlite/app_test
Error: app/example_test.go:31:2: there can only be one output comment block per example
Error: app/example_test.go:95:2: output comment block must be the last comment block

[freeekanayaka]

Looks good to me. Those settings were the "recommended" ones in terms of tightening TLS parameters, but it seems reasonable to just use Go's defaults, which might be a bit more permissive, but clearly good enough.