Implement TLS client authentication

[M1cha]

What is the purpose of this change? What does it change?

Add support for authenticating clients using a CA certificate.

Was the change discussed in an issue or in the forum before?

Closes #73

Checklist

• I have enabled maintainer edits for this PR
• I have added tests for all changes in this PR
• I have added documentation for the changes (in the manual)
• There's a new file in changelog/unreleased/ that describes the changes for our users (template here)
• I have run gofmt on the code in all commits
• All commit messages are formatted in the same style as the other commits in the repo
• I'm done, this Pull Request is ready for review

[MichaelEischer]

Shouldn't the rest-server also extract the username from the client certificate similar to #191? Or is the idea to only use the client certificate to allow access to the rest-server and then require an additional htpasswd verification (I'm not particularly sure how useful that is)?

[M1cha]

@MichaelEischer IMO, what you request should be optional. I use TLS with my own CA to prevent anyone inside my home network from using the rest server. I need neither htaccess nor TLS username verification though since I'm the only user.

[smiller255]

I tested this branch at 517d9cbcad3a52965f73d36fe0fd8cc61e8f1300 and it works just fine and as expected.

Notes:

• The added documentation states that the new option can be used with --tls-ca but the implemented option uses --tls-cacert
• To use client side tls for authentication without a htpasswd file it is currently required to start the server with the --no-auth flag, because without it the server complains about the missing htpasswd file. The --no-auth flag should actually disable both authentication options wile using --tls-cacert should work even if there is no htpasswd file.

@M1cha If you are still interested to work on this feature, I would offer to test this further and help with documentation or unit tests.