Extend to request EC or RSA certificates

[dilyanpalauzov]

For a service several TLSA records can be publised (3 1 1, 3 0 1, 3 0 2) at the same time. During rollover the amount of TLSA records doubles, only half of them are valid. For a TLS connection the server can posses more than one certificates (RSA and EC).

Please extend check_dane, so that it can, depending on how it is invoked,

• verify that there is a valid “TLSA 3 1 1” record for a service, when the EC certificate is requested,
• verify that there is a valid “TLSA 3 1 1” record for a service, when the RSA certificate is requested,
• verify that there is a valid “TLSA 3 0 1” record for a service, that uses the EC certificate
• verify that there is a valid “TLSA 3 0 1” record for a service, that uses the RSA certificate
• verify that there is a valid “TLSA 3 0 2” record for a service, that uses the EC certificate
• verify that there is a valid “TLSA 3 0 2” record for a service, that uses the RSA certificate
• verify the expiration of the RSA certificate
• verify the expiration of the EC certificate

The idea is to be able to verify, that both 3 0 1 and 3 0 2 records are valid, which is currently not possilbe.

For 3 1 1 there is somewhere a special requirement that it is offered for SMTP:25, but for the same port 3 0 1 and 3 0 2 are not prohibited.

In addition it would be very nice, if the same TLS connection is used to verify, if the certificate has Must Staple extension and that OCSP verifies, so that no further plugins are needed for this and no further TLS connections must be made.

[debfx]

The python ssl module doesn't seem to allow selecting a certificate type (at least for TLS 1.3) so this would require switching to another TLS module.