Make SSL Cert lookup case-insensitive

[ajschmidt]

Which issue is fixed by this PR? If not related to an existing issue, what does this PR do?

OpenSSL is performing an exact match between the requested SNI and the lookup keys associated with SSL Certificates. Since FQDNs are not case sensitive this is inappropriate and sometimes causes misses on the certificate lookup. TR incorrectly returns the default certificate in these cases. This PR is a workaround for this issues by:

1. When TR receives an HTTPS request it converts the requested SNI to lower case before passing it to OpenSSL.
2. When configuring OpenSSL TR makes sure that all the lookup keys for the certs that it has received from Traffic Ops have been converted to lower case.
   Fixes #(replace_this_text_with_issue_number)

Which TC components are affected by this PR?

• Documentation
• Grove
• Traffic Analytics
• Traffic Monitor
• Traffic Ops
• Traffic Ops ORT
• Traffic Portal
• Traffic Router
• Traffic Stats
• Traffic Vault
• Other _________

What is the best way to verify this PR? Please include manual steps or automated tests.

(If no tests are part of this PR, please provide explanation as to why no tests are included.)

The easiest way to test this PR is to start up a local instance of TR by running TrafficRouterStart and configuring it to point at an existing Traffic Ops instance which is configured with at least one SSL Cert and a matching Delivery Service which is SSL enabled. Any existing non-production environment should do. Run a couple of 'curl' commands:

1. curl -kvs https://ccr.myds.mycdn.mycompany.com:8443/stuff --resolve ccr.myds.mycdn.mycompany.com:8443:127.0.0.1

should perform an SSL handshake and return a certificate for domain myds.mycdn.mycompany.com

2. curl -kvs https://ccr.MYDS.MYCDN.mycompany.com:8443/stuff --resolve ccr.myds.mycdn.mycompany.com:8443:127.0.0.1

should perform an SSL handshake and return the same certificate as in #1.

Of course you have to replace myds, mycdn and mycompany with the fqdn for your delivery service.

Check all that apply

• This PR includes tests
• This PR includes documentation updates
• This PR includes an update to CHANGELOG.md
• This PR includes all required license headers
• This PR includes a database migration (ensure that migration sequence is correct)
• This PR fixes a serious security flaw. Read more: www.apache.org/security

[asfgit]

Can one of the admins verify this patch?

[ghost]

@ajschmidt I've tested this PR successfully. 2 of 2 manual tests of this PR are successful. This PR is ready to be merged.

Testing environment:

• Latest CiaB environment from master
• Traffic Router rebuilt with the changes from this PR.

Tests:

1. Verify GET request containing mixed case FQDN in URL returns the correct certificate for demo1 delivery service.
2. Verify Raw SNI mixed case FQDN in TLS client_hello returns the correct certificate for demo1 DS.

Results:
Pass. The tests below verify that the correct x509 certificate is returned by the traffic router, even when the SNI has mixed case alphabetical characters:

Test1 - Verify GET request containing mixed case FQDN in URL returns the correct certificate for demo1 delivery service:

$ mydc exec trafficrouter /bin/bash
[root@trafficrouter /]# curl -vq https://vIDeO.DeMo1.MyCDn.CiAb.TeST
* About to connect() to vIDeO.DeMo1.MyCDn.CiAb.TeST port 443 (#0)
*   Trying 172.25.0.11...
* Connected to vIDeO.DeMo1.MyCDn.CiAb.TeST (172.25.0.11) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=*.demo1.mycdn.ciab.test,O=CDN-in-a-Box,L=Denver,ST=Colorado,C=US
* 	start date: Jan 30 18:39:35 2019 GMT
* 	expire date: Jan 30 18:39:35 2020 GMT
* 	common name: *.demo1.mycdn.ciab.test
* 	issuer: E=no-reply@infra.ciab.test,CN=CDN-in-a-Box Intermediate CA,OU=CDN-in-a-Box,O=CDN-in-a-Box,L=Denver,ST=Colorado,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: vIDeO.DeMo1.MyCDn.CiAb.TeST
> Accept: */*
> 
< HTTP/1.1 302 Found
< Location: https://edge.demo1.mycdn.ciab.test/
< Content-Length: 0
< Date: Wed, 20 Feb 2019 17:53:33 GMT
< 
* Connection #0 to host vIDeO.DeMo1.MyCDn.CiAb.TeST left intact

Test2 - Verify Raw SNI mixed case FQDN in TLS client_hello returns the correct certificate for demo1 DS:

$ ./sniclient 172.25.0.11 443 vIDeO.DeMo1.MyCDn.CiAb.TeST
Server resolved IP address: 172.25.0.11
SSL connection using ECDHE-RSA-AES256-GCM-SHA384
Server certificate:
	 subject: /C=US/ST=Colorado/L=Denver/O=CDN-in-a-Box/CN=*.demo1.mycdn.ciab.test
	 issuer: /C=US/ST=Colorado/L=Denver/O=CDN-in-a-Box/OU=CDN-in-a-Box/CN=CDN-in-a-Box Intermediate CA/emailAddress=no-reply@infra.ciab.test

[dangogh]

add to whitelist

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3245/
Test PASSed.