Add TLS client authentication and server verification using custom CA

Review Request #11047 — Created June 18, 2020 and submitted — Latest diff uploaded




This patch adds two new TLS-related features.

  1. Allow the client to provide a certificate for TLS client authentication.
    Previously, connecting to a server which requires clients to authenticate using
    a TLS certificate was difficult and required using external tools such as stunnel.
    Requiring client authentication adds security, because it prevents unauthorized users
    without a certificate to even connect to the reviewboard instance. Furthermore,
    it optionally allows for using the CN as the user's identity.
    After this change, the user can specify a client certificate (and key) to present
    to the server at the time of connection.

  2. Allow the client to validate server certificates signed from custom CAs.
    Previously, the user had to disable verification of the server certificate
    when connecting to a server using a certificate signed by a custom CA.
    After this change, the user can provide additional CAs that can be used to perform
    server certificate validation, without disabling verification and thus providing a
    more secure connection.

Minor testing using a private server signed with custom CA and requiring client certificate.