implement ssl-skip-verify to forward to self-signed-certificates

[ghost]

we are using internally also SSL between our servers (nginx and Service fabric / load balancer) but these are self-signed-certiticates. Today clammit does not allow it

2021/11/04 23:18:04 Interceptor passed this request
2021/11/04 23:18:04 Forwarding to https://10.57.2.4:8001
2021/11/04 23:18:04 Failed to forward request: 'post' "https://10.57.2.4:8001/api/Files?api-version=1.0": x509: certificate signed by unknown authority

the PR allows to configure "ssl-skip-verify" (true, false).

If true, will skip SSL validation forwarding connection to use self-signed certitifates, default = false
ssl-skip-verify = false

2021/11/04 23:22:26 Interceptor passed this request
2021/11/04 23:22:26 Forwarding to https://10.57.2.4:8001
2021/11/04 23:22:26 Request forwarded, response 200 OK

• test cases ran
• test cases implemented
• documentation adapted
• (some build documentation adapted)
• GitHub build action run
• build v0.7.3+ssl-skip-verify on our forked repository

[vjt]

Thank you for this. I have mixed feelings about this change because:

• I think that TLS verification is a good thing and one should always employ it
• I am not convinced on how the sslskipverify option is passed around

So I summon @jblackman for his feedback :-)

[vjt]

I would reword this as:

if true, it will not perform TLS certificate verification, allowing connections to servers using self-signed or otherwise untrusted certificates. Use with care, it is always preferable to perform certificate verification.

[ghost]

I like your very precise documentation

[vjt]

This looks OK as today we only have a single option. For the future, we’ll want to pass the tls config object in the forwarder struct directly, that’ll allow us to drive any tls config options from clammit configuration without adding more fields to the Forwarder struct.

[ghost]

I agree - I was not happy also. But I did not wanted to do a full refactoring ....

[butsjoh]

Any change on getting this merged?

[butsjoh]

Also another question/observation: Why is it not possible that self signed certs that have been added to the os level are considered valid? I am not familiar with the go ecosystem but i would expect that a cert that is trusted on the system level would be working. We tried this together with https://github.com/maxsivkov/clammit-docker (and after adding the necessary cert files) and when we curl inside the container it works but when clammit forwards the request it keeps complaining about invalid cert.