Allow user to set the vcert client TLS renegotiation setting when accessing TPP servers

[wallrj]

BUSINESS PROBLEM

Why is it necessary to customize the client TLS renegotiation?

1. The TPP API server is served by Microsoft Windows Server and IIS.
2. IIS uses TLS-1.2 by default[1] and it uses a TLS-1.2 feature called "renegotiation" to allow client certificate settings to be configured at the folder level. e.g. https://tpp.example.com/vedauth may Require or Accept client certificates while https://tpp.example.com/vedsdk may Ignore client certificates.
3. When IIS is configured this way it behaves as follows[2]: "Server receives a connection request on port 443; it begins a handshake. The server does not ask for a client certificate. Once the handshake is completed, the client sends the actual target URL as a HTTP request in the SSL tunnel. Up to that point, the server did not know which page was targeted; it only knew, at best, the intended server name (through the Server Name Indication). Now that the server knows which page is targeted, he knows which "site" (i.e. part of the server, in IIS terminology) is to be used."
4. In this scenario, the Go HTTP client MUST be configured to renegotiate (by default it will refuse to renegotiate). We use RenegotiateOnceAsClient rather than RenegotiateFreelyAsClient because cert-manager establishes a new HTTPS connection for each API request and therefore should only ever need to renegotiate once in this scenario.

• [1] TLS protocol version support in Microsoft Windows: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-#tls-protocol-version-support
• [2] Should I use SSL/TLS renegotiation?: https://security.stackexchange.com/a/24569

PROPOSED SOLUTION

Allow user to supply tls.RenegotiateOnceAsClient when configuring the vcert client:

https://github.com/Venafi/vcert/blob/a30535acfbeac7a1d5d1c8fe450a772d6c6faa68/config.go#L52-L66

CURRENT ALTERNATIVES

You can supply a custom http.Client where the transport has been configured with tls.RenegotiateOnceAsClient, but the disadvantage of this alternative is that you also have to recreate all the other default http.Client settings that are normally set by vcert.

• https://github.com/cert-manager/cert-manager/pull/5568