TLS termination

[mostafa]

This project has the following parts:

• [x] #361
• [ ] #362
• [ ] #363
• [x] #365
• [x] #366

Now that both the client and server connections use the net/tcp stdlib (#343), they both can use the crypto/tls stdlib and also the boringcrypto library.

When an incoming connection connects, the TLS handshake will happen underneath and the code accesses the data in plaintext. The plaintext data will pass around in the core and plugins until it reaches the server that gatewayd also connected to via TLS. The plugins use mTLS to talk with the core. So, this is how it works:

%%{init: {'theme': 'base'} }%%
sequenceDiagram
    participant Client
    participant GatewayD
    participant PostgreSQL

    note right of Client: Client optionally requests TLS
    rect rgb(250, 250, 250)
        note left of GatewayD: GatewayD terminates TLS request
        Client->>GatewayD: SSLRequest (plaintext)

        alt TLS is accepted
            GatewayD-->>Client: S (start TLS handshake)
        else TLS is rejected
            GatewayD-->>Client: N (optionally, start plaintext auth)
        end

        opt TLS handshake
            Client->>GatewayD: Client Hello
            GatewayD->>Client: Server Hello
            Client->>GatewayD: Establish secure channel over TCP
        end
    end
    rect rgb(240, 240, 240)
        note right of Client: Auth with PostgreSQL
        Client-->>PostgreSQL: Send StartupMessage over encrypted or plaintext channel
        PostgreSQL-->>Client: Authenticated
    end

[mostafa]

Client-side TLS termination is implemented in v0.8.x milestone and the rest will be picked up later.