#3798 Don't require certificate for TLS clients

[rsmck]

Summary
Implements a fix for #3798

Details
OpenSIPS requires a certificate when configuring a client_domain, even if mTLS is not required. As a result it's easiest to use the server certificate. However, this means that OpenSIPS will send this certificate (these will be without a clientAuth EKU) if the server requests a client certificate. It should be possible to establish the connection without the Client Certificate (see RFC 8446 4.4.2.4 and RFC 5426 7.4.6 ("If no suitable certificate is available, the client MUST send a certificate message containing no certificates. That is, the certificate_list structure has a length of zero")

Solution

Server domains: Continue to require certificates (using defaults if not specified), should be no change to behaviour here.

Client domains: Can now be configured without certificate and private_key parameters.

When the destination TLS server requests a client certificate but one isn't configured, an empty certificate message is sent per RFC 8446 / 5246

Compatibility
Tested with OpenSIPS 3.6 + LibreSSL 3.3.6
Not tested with WolfSSL

Closing issues
Closes #3798

[NormB]

Tested this with WolfSSL since you mentioned it wasn't covered. I applied the patch to master (4.0.0-dev, dbfac4e6a) rather than 3.6 — it applied cleanly, so this confirms the WolfSSL code path works but isn't a direct test on the target branch.

Setup: Two separate Debian 13 nodes, opensips-1 as TLS server (OpenSSL 3.5.4, with cert) and opensips-2 as TLS client (WolfSSL 5.4.0, no cert/key configured). UDP OPTIONS sent to opensips-2, which relays to opensips-1 over TLS via t_relay().

Results: All passing. Key log lines confirming the new code paths:

# tls_mgm.c - client domain init without cert
INFO:tls_mgm: no certificate for tls client domain 'cli_nocert', will not send client certificate
DBG:tls_mgm: no private key needed for tls client domain 'cli_nocert' (no certificate configured)

# wolfssl_config.c - cert loading skipped, handshake succeeds
INFO:tls_wolfssl: new TLS connection to 10.0.0.40:5061 established

# server side confirms empty client cert per RFC 8446/5246
INFO:tls_wolfssl: client did not present a TLS certificate

# end-to-end SIP transaction completed
SIP/2.0 200 OK-from-opensips-1

No crashes, no errors, transaction cleaned up normally.

One thing that might be worth adding — a docs update for tls_mgm noting that certificate and private_key are now optional for client domains.

[liviuchircu]

@rsmck and @NormB -- I really appreciate the work and fully documented issue and PR here, bit of a pity that I didn't merge this sooner. I went ahead and played with it a bit, didn't spot any regressions either. The patch is fully backwards-compatible too, for opensips.cfg scripts which explicitly set the client certificate and private_key modparams (all of them?). But now, you can omit them in order to get the empty-client-cert behavior, which worked just fine against a openssl s_server ... CLI TLS test server.

Merging ASAP, I will go for a backport to 3.6 and 3.4 as well, so we keep TLS behavior consistent across all stables.