TLS: support for extracting certificate subject alt names from client certs

[elcallio]

Fixes #1628

Subject alt name info can contain more extensive and detailed info on a connecting client. Add interface to allow querying this from a connected socket.

Initially we don't include this in accept-sequence auth verification, though we maybe should include it as an option.

[avikivity]

Looks good, but please elaborate on "Initially we don't include this in accept-sequence auth verification, though we maybe should include it as an option.". What does that mean? That we should accept some predicate to apply to alt names?

[elcallio]

It means that we should maybe add it as an (optional), retrievable attribute for the void set_dn_verification_callback(dn_callback);. That is a callback that can be registered for an accepting socket, and allows user code to optionally reject connections early based on certificate content (DN info). Since SAN (alt names) are an extension of DN info, it seems logical that we should maybe allw it also to be at least queried.

I was thinking something like:

    using dn_callback = noncopyable_function<void(session_type type, sstring subject, sstring issuer)>;

    void set_dn_verification_callback(dn_callback);

...

    using dn_callback_ex = noncopyable_function<void(session_type type, sstring subject, sstring issuer, const std::vector<subject_alt_name>&)>;

    void set_dn_verification_callback_ex(dn_callback_ex, std::unordered_set<subject_alt_name_type> types = {});

to maintain compatibility.

[elcallio]

ping?

[elcallio]

ping?