Add option for TLS renegotiation to `http.send` config

[philipaconrad]

What is the underlying problem you're trying to solve?

TLS renegotiation is disabled by default in OPA, and this can cause http.send to fail sometimes when interacting with servers using older TLS versions (like TLS 1.2). It'd be nice if we had an option on http.send that would allow selectively enabling that feature.

Example error:

"error": {
  "code": "eval_http_send_network_error",
  "message": "Get \"https://mydomain.example.com/path\": local error: tls: no renegotiation" 
},
"status_code": 0

Describe the ideal solution

Add an option like tls_renegotiation, with options "never" (default), "once", and "freely", which would correspond to the underling Golang TLS client config options.

Note: When using TLS 1.3, this option will be a no-op, due to lack of support for renegotiation requests from the server.

Describe a "Good Enough" solution

Same as above, but just a boolean toggle between never and once behavior.

[philipaconrad]

This might be on the edge of "good first issue" territory. It's a well-scoped change to a single builtin. I think the only tricky part would be adding a testcase for it.

[tjons]

@ashutosh-narkar @charlieegan3 I'll pick this one up! Thanks Charlie for the suggestion

[charlieegan3]

We chatted a little about this in slack, sharing an update here for future.

This feature, if added would not be possible to test in Go alone. (golang/go#36285 (comment)) Golang's own tests are based on an openssl test case (https://github.com/golang/go/blob/master/src/crypto/tls/handshake_client_test.go).

Since TLS < 1.3 is a dying breed, I would like to wait until we have a clear use case from a user that really needs this before implementing it given the ongoing cost of maintaining a potentially separate test group with an openssl dependency.

[tjons]

For posterity, I implemented this in: https://github.com/tjons/opa/tree/tjons/http-send-tls-renegociation