TLS: Validate solely against caCert if permittedPeers is empty

[mathias-nyman]

Hi,

The option to validate the TLS peer solely based on an X.509 certificate chain (caCert) is not supported in librelp.

The current logic is:

1. Verify the peer certificate against the configured caCert (gnutls_certificate_verify_peers2 does it) and
2. Verify the peer certificate against the configured permittedPeer

I propose the logic to be:

1. Verify the peer certificate against the configured caCert (gnutls_certificate_verify_peers2 does it) and if caCert unset or permittedPeer > 0, then
2. Verify the peer certificate against the configured permittedPeer

This logic should not break backwards compatibility, since it has not been supported to have permittedPeer option unset so far (or well, it would always have led to failed peer verification).

Main change would go around here: https://github.com/rsyslog/librelp/blob/63eebbb088f8b49ac6ffb210240ade6920bf1b1c/src/tcp.c#L1190

I can work on a pull request if you agree on the changes in general.

Thanks, : Mathias

[mathias-nyman]

Hi again,

Browsed the code some more. I see now that you never intended to use caCert as a trust chain for the peer, only as the ca bundle containing the trust chain for the local instance.

Yet my feature request remains. Implementation wise it should be a new configuration parameter for tls, instead of assuming caCert also being the trust chain for the peer.

Let me know what you think, : Mathias