Support for passphrase protected certificate keys

Feature - External Script for SSL Password

• So that I can maintain security on my SSL certificate,
• As a MaxScale user,
• I want MaxScale to run an external script that provides the SSL password.

Acceptance Test - Script Execution for SSL Password

• Given MaxScale is configured to use an SSL certificate that requires a password
• And an external script is available to provide the SSL password
• When MaxScale starts or reloads its configuration
• Then MaxScale runs the external script to retrieve the SSL password
• And MaxScale uses the retrieved SSL password to unlock the SSL certificate

Acceptance Test - Handling Script Execution Failure

• Given MaxScale is configured to use an SSL certificate that requires a password
• And an external script is available to provide the SSL password
• When MaxScale starts or reloads its configuration
• And the external script fails to execute or returns an error
• Then MaxScale logs the error indicating the failure to retrieve the SSL password
• And MaxScale does not start or continue loading the configuration

Acceptance Test - Logging Successful Script Execution

• Given MaxScale is configured to use an SSL certificate that requires a password
• And an external script is available to provide the SSL password
• When MaxScale successfully executes the external script
• Then MaxScale logs a message indicating the successful retrieval of the SSL password
• And MaxScale uses the retrieved SSL password to unlock the SSL certificate

Acceptance Test - Security of SSL Password

• Given MaxScale is configured to use an SSL certificate that requires a password
• And an external script is available to provide the SSL password
• When MaxScale retrieves the SSL password from the external script
• Then the SSL password is not stored in plaintext in any logs or configuration files
• And the SSL password is only used in-memory to unlock the SSL certificate

Background

Maxscale should support TLS certificates with password / passphrase protected keys.

I haven't tested how it would deal with such keys, but I assume it would "suffer" from the same TLS library default behavior as the MariaDB server and would try to prompt the user for passwords / passphrases, so breaking automated service startups when faced with such keys.

What makes things more complicated here is that unlike the server Maxscale does not only have to deal with a single certificate, but can have different certificates per server, listener, and for the REST API. Also the same key may be used in multiple places.