Separate TLS config for AcraConnector and DB

[ilammy]

Currently AcraServer uses only one TLS configuration for everything. This means, in particular, that both AcraConnector and DB are expected to use the same private CA, if root certificates are not available in the system certificate store. This is not always the case, and it would be nice to allow separate TLS configurations.

This PR adds several new options:

New option	Old option	Purpose
tls_client_ca	tls_ca	path to CAfile with trusted root certificates for AcraConnector verification
tls_client_cert	tls_cert	path to server certificate presented to AcraConnectors
tls_client_key	tls_key	path to private key to the certificate above
tls_client_auth	tls_auth	TLS authentication level when accepting AcraConnector connections

New option	Old option	Purpose
tls_database_ca	tls_ca	path to CAfile with trusted root certificates for database verification
tls_database_cert	tls_cert	path to client certificate used when connecting to database
tls_database_key	tls_key	path to private key to the certificate above
tls_database_auth	tls_auth	TLS authentication level when connecting to database
tls_database_sni	tls_db_sni	server name expected when connecting to database (renamed option)

New options override old options. The old options still remains not deprecated, they might be useful as a shortcut.

This required a refactoring to split the TLS configuration, so in the future it will be possible to have more specific configuration (think, different allowed authentication modes, cryptosuites, TLS versions, etc.) which allowed to easily split the configuration.

There are no integration tests for this option currently. (Do we need them?) I have tested it manually, with recently updated certificates. The timing could not have been better...

[vixentael]

Looks inspiring

[shadinua]

Great, thanks!

Will it be too complex to add a separate configuration for tls_auth as well? This would cover most of the inconvenience with the TLS configuration.

[ilammy]

Will it be too complex to add a separate configuration for tls_auth as well?

Will do, refactoring should make have made that trivial.

[ilammy]

@shadinua, here you go. There are now new options tls_auth_client and tls_auth_database which override the basic level set by tls_auth (by default, the highest one).

For example, you might leave the default value of RequireAndVerifyClientCert for AcraConnector, but allow the database to just present any client certificate with --tls_auth_database=2. Or validate client certificates if given, but don't care about AcraConnector ones: --tls_auth=3 --tls_auth_client=0.

The common option is still there in case we'd need to add more TLS configs later, like with CA. Right now it can make more sense to configure client and database explicitly, rather than configuring this, say, for the client and for everyone else.

[ilammy]

After some discussion we have decided to split the remaining options as well. That is, it is possible to set the keys and certificates independently as well. That way we can have different AcraConnector and database TLS configurations if necessary (and there are still common options in case the configuration can be shared).

Given that, the original names for new options were suboptimal. They have been updated for better namespacing:

• tls_client_ca, tls_client_cert, tls_client_key, tls_client_auth
• tls_database_ca, tls_database_cert, tls_database_key, tls_database_auth, tls_database_sni

The tls_db_sni option has been renamed into tls_database_sni for consistency. (The old one is still accepted.)

[ilammy]

I don't quite like that tls_client_cert option specifies server certificate to be used by AcraServer (mandatory parameter), but it's consistent with the original naming idea.

[shadinua]

Thanks a lot from infrastructure team! :)

[vixentael]

Looks amazing, let's merge and use!