Support inline TLS Certificates and Keys

[tisba]

This PR adds <cert> and <key> under <set_option name="certificate">:

<set_option name="certificate">
  <certificate>
    <cert>
      <![CDATA[
      -----BEGIN CERTIFICATE-----
      <!-- ... -->
      -----END CERTIFICATE-----
      ]]>
    </cert>
    <key>
      <![CDATA[
      -----BEGIN RSA PRIVATE KEY-----
      <!-- ... -->
      -----END RSA PRIVATE KEY-----
      ]]>
    </key>
  </certificate>
</set_option>

Previously it was only possible to provide certificates and keys via files. I need to be able to handle certificates and keys based on dynvar data (e.g. by extracting from responses or using file servers).

Notes

• only one certificate and one key is currently supported
• data has to be provided in PEM encoded format
• cert and key will be run through ts_search:subst/2 thus supporting to have dynamic configuration
• New error counter events have been added
  • error_connect_option_* if connection options are invalid (happens in certain cases where the provided certificate or key is not valid)
  • error_connect_tls_bad_certificate if the provided certificate could not be used

[tisba]

My favourite configuration format would be like this:

<set_option name="certificate">
  <cacertificate>
      <![CDATA[
      -----BEGIN CERTIFICATE-----
      <!-- ... -->
      -----END CERTIFICATE-----
      ]]>
  </cacertificate>
  <certificate>
      <![CDATA[
      -----BEGIN CERTIFICATE-----
      <!-- ... -->
      -----END CERTIFICATE-----
      ]]>
  </certificate>
  <private_key password="secret">
    <![CDATA[
      -----BEGIN RSA PRIVATE KEY-----
      <!-- ... -->
      -----END RSA PRIVATE KEY-----
    ]]>
  </private_key>
</set_option>

or, when referencing files:

<set_option name="certificate">
  <cacertificate file="/path/to/ca_cert.pem">
  <certificate file="/path/to/cert.pem">
  <private_key file="/path/to/key.pem" password="secret">
</set_option>

That would be a bigger change to how the existing <certificate> works though.

Any ideas, suggestions or opinions, @nniclausse?

[tisba]

Any preferences, @nniclausse?

[nniclausse]

The patch looks good; i don't see a good reason to change the format though. Or am i missing something ?

[tisba]

Just aesthetics. <certificate><cert>... and <certificate><key>... feels clunky and redundant...

And I just noticed that you cannot provide the CA certificate chain inline as well (I don't need that, that's probably the reason why I forgot).

[nniclausse]

maybe simply using ssl instead of certifcate could be better:
<ssl><certificate> ...<ca_certificate> <key> ... </ssl>

[tisba]

duh, okay, you're right, that makes more sense. No need to have <certificate> be used with multiple semantics at the same time!

I'll try to refactor this over the weekend...