Modernize SSL Support

[joernott]

As sysadmin, I am trying to set up my environments as secure as possible. csync2 uses SSL, which is already a good start, however the current implementation does not allow for a few features I would like to set to meet our security standards. I would like to:

• have the documentation updated to use keys longer than 1024 bits (it works with 4096).
• be able to configure the file names of the certificate and key in the configuration file
• check key file and ssl key permissions on application start (e.g. mode 0600, owned by the user running it or mode 0640, owned by root and readably by a group the user running the application if != root)
• use passwords on the ssl key
• restrict the protocol to TLSv1.2 or higher
• restrict the allowed ciphers
• use a certificate tied to the actual host name instead of sharing the self-signed certificate across hosts
• validate the CA key chain (I can use a certificate signed by a CA instead of self signed certs, but as the CA certificate is not checked, this is quite irrelevant)
• use perfect forward secrecy

[zapotah]

The error "There was a non-CA certificate in the trusted list:" after debugging the whole thing made me facepalm since that means that csync2 builds a blind trust by itself and simply cannot integrate with an existing PKI...