Improve client certificate handling #41
Description
require client ca only works if all the client certificates were signed by the same CA, which is reasonable (because it is easy for us to implement), but has two major drawbacks:
- doesn't support a deny list for certificates that might have been stolen
- requires the admin to sign every client certificate
we could add support for a CRL (certificate revocation list) and a list of known 'good' certificates to improve the support for CA-signed certs and as well as for etherogeneus lists of certs. Also, we could consider allowing require client ca to be specified more than once.
Eventually, something like gmidctl (see #38) could fit in here as a way to quickly alter the CRL or add a known certificate. Or, even, implement an external store (a-la smtpd-tables(7)) where this info can be store.