OMERO.server 6.0.0: require certificates

[manics]

Background

Recent Linux distributions including Ubuntu 18.04, CentOS 8, and conda, include a version of OpenSSL that disables weak ciphers such as Anonymous DH (ADH) as used by OMERO. In many cases our suggested workaround to set @SECLEVEL=0 does not work:

• https://forum.image.sc/t/omero-icessl-unable-to-set-ciphers/30704
  The default Windows SSL libary used by Ice does not support the weak ciphers required by OMERO
• Windows IceSSL ciphers are more limited than Linux and OSX omero-py#200

Several users have reported success when using the omero-certificates plugin

• https://forum.image.sc/t/omero-icessl-unable-to-set-ciphers/30704

The client work required to support ciphers other than ADH was added as part of the work to enable websockets, since in most cases clients connect to a websocket through an webserver such as Nginx that doesn't support ADH.
Note that the certificates do not need to be signed by a recognised certificate authority since OMERO clients never validate any SSL connections.
This means the server can optionally autogenerate them without any user input.

Proposal

Supported ciphers and protocols

Remove the weak ciphers from the default OMERO configuration. The default OMERO configuration will include the following properties:

• omero.glacier2.IceSSL.Ciphers: HIGH
• omero.glacier2.IceSSL.ProtocolVersionMax: TLS1_2
• omero.glacier2.IceSSL.Protocols: TLS1_0,TLS1_1,TLS1_2
• We may want to include TLS1_3 in the above

Alternatively we could take this opportunity to improve the security slightly (though since the default is for clients to never verify certificates it doesn't really make much difference):

• omero.glacier2.IceSSL.Ciphers: HIGH
• omero.glacier2.IceSSL.ProtocolVersionMax: TLS1_3
• omero.glacier2.IceSSL.ProtocolVersionMin: TLS1_2
• omero.glacier2.IceSSL.Protocols: TLS1_2,TLS1_3

Certificates properties

Require certificates for IceSSL. These certificates may be self-signed since verification is disabled by default in clients.
The following properties are required:

• omero.glacier2.IceSSL.DefaultDir: The directory for certificates.
  This may default to {omero.data.dir}/certs or $OMERODIR/var/certs.
  Any certificate properties that are not an absolute path must be in this directory.
• omero.glacier2.IceSSL.CertFile: A PKCS12 file storing the certificate and key, default server.p12.
• omero.glacier2.IceSSL.Password: password for the above CertFile, default secret
  The following may or may not be required (probably isn't but needs checking):
• omero.glacier2.IceSSL.CAs

Certificate creation

Add a new property that controls whether OMERO.server should automatically generate self-signed certificates on startup:

• omero.certificates.autogenerate: default true

If omero.certificates.autogenerate: true then omero admin rewrite will create a new self-signed PKCS12 certificate using the openssl utility and store it in omero.glacier2.IceSSL.CertFile with password omero.glacier2.IceSSL.Password.
The public certificate will be regenerated on every start to avoid worrying about expiry dates.
Intermediate files server.pem (self-signed certificate in PEM format) and server.key (private key in PEM format) will be stored in omero.glacier2.IceSSL.DefaultDir.
Most of this functionality is already implemented by the omero-certificates plugin, though some work will be required to remove the automatic setting of properties.

If omero.certificates.autogenerate: false the sysadmin is responsible for creating certificates and changing any default properties.