Follow-up from "Draft: Resolve "XoT xfrin""
The following discussion from !4571 (merged) should be addressed:
Rebased, squashed, pushed some suggestions, including CHANGES, release note, documentation (which may not be very good, I'm not sure I have the TLS terminology correct), added setter/getter functions for a few things that were left out, and a few other bits and bobs.
isc_transportso that it can be used with the netmgr and as a parameter to
isc_tlsctx_createserver(). I almost made that change already but decided to leave it for now so that it would be easier to review the changes I've already made (moving a file makes it harder to read diffs).
We urgently MUST create key and cert files so that we can test with something other than "ephemeral" in the system tests. I suspect non-ephemeral configurations may not work for DoT currently, and I'm certain they don't work for XoT.
I'm about to reveal some possibly-embarrassing ignorance about TLS: does it make sense to reference
isc_tlsctx_createclient()doesn't take any parameters, so I'm not sure what
tls <anything-but-ephemeral>would even do. (I already confirmed it's basically a no-op by configuring it with "tls whatever", a configuration that uses /dev/null for both key and cert files, and it worked fine.)
So, is configuring client-side TLS parameters a thing we want to be able to do but haven't implemented yet? Or is it a thing nobody ever does, and we should revise the syntax so as not to imply it's possible?