Extend the 'doth' system test with Strict/Mutual TLS checks

This commit extends the 'doth' system test with a set of Strict/Mutual
TLS related checks.

This commit also makes each doth NS instance use its own TLS
certificate that includes FQDN, IPv4, and IPv6 addresses, issued using
a common Certificate Authority, instead of ad-hoc certs.

Extend servers initialisation timeout to 60 seconds to improve the
tests stability in the CI as certain configurations could fail to
initialise on time under load.

bin/tests/system/doth/CA/CA.cfg

@@ -0,0 +1,121 @@
+## How To
+# To issue a certificate:
+#
+# 1. Generate the next certificate serial (if the file does not exist):
+# xxd -l 8 -u -ps /dev/urandom > ./serial
+# 2. Create the new certificate request (e.g. for foo.example.com):
+#  openssl req -config ./CA.cfg -new -subj "/CN=foo.example.com" \
+#                  -addext "subjectAltName=DNS:foo.example.com,IP=X.X.X.X" \
+#                  -newkey rsa -keyout ./certs/foo.example.com.key \
+#                  -out ./certs/foo.example.com.csr
+#
+# The above will generate request for an RSA-based certificate. One
+# can issue an ECDSA-based certificate by replacing "-newkey rsa" with
+# "-newkey ec -pkeyopt ec_paramgen_curve:secp384r1".
+#
+# 3. Issue the certificate:
+# openssl ca -config ./CA.cfg -in ./certs/foo.example.com.csr \
+#                             -out ./certs/foo.example.com.pem
+#
+# To cleanup the internal database from expired certificates:
+#
+# 1.  openssl ca -config ./CA.cfg -updatedb
+#
+# To revoke a certificate:
+#
+# 1. Revoke the certificate via file  (e.g. for foo.example.com):
+# openssl ca -config ./CA.cfg -revoke ./certs/foo.example.com.pem
+# 2. Optionally remove the certificate file if you do not need it anymore:
+# rm ./certs/foo.example.com.pem
+# 3. Generate the certificate revocation list file: CRL (e.g. revoked.crl):
+# openssl ca -config ./CA.cfg -gencrl > ./revoked.crl
+#
+# The key for CA was generated like follows
+# openssl genrsa -out ./CA.key 3072
+# openssl req -x509 -new -key ./CA.key -days 10950 -out ./CA.pem
+#
+# See also:
+#
+# - https://jamielinux.com/docs/openssl-certificate-authority/index.html
+# - https://www.openssl.org/docs/man1.1.1/man1/ca.html
+# - https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html
+# - https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
+# - https://security.stackexchange.com/a/190646 - for ECDSA certificates
+# - https://gist.github.com/Soarez/9688998
+# - https://habr.com/ru/post/192446/ - Beware, your screen might "go Cyrillic"!
+
+# certificate authority configuration
+[ca]
+default_ca      = CA_default               # The default ca section
+
+[CA_default]
+dir            = .
+new_certs_dir  = $dir/newcerts         # new certs dir (must be created)
+certificate    = $dir/CA.pem           # The CA cert
+private_key    = $dir/private/CA.key   # CA private key
+
+serial         = $dir/serial           # serial number file for the next certificate
+                                       # Update before issuing it:
+                                       # xxd -l 8 -u -ps /dev/urandom > ./serial
+database = $dir/index.txt                 # (must be created manually: touch ./index.txt)
+
+default_days   = 10950                 # how long to certify for
+
+#default_crl_days = 30                 # the number of days before the
+default_crl_days = 10950               # next CRL is due. That is the
+                                       # days from now to place in the
+                                       # CRL nextUpdate field.  If CRL
+                                       # is expired, certificate
+                                       # verifications will fail even
+                                       # for otherwise valid
+                                       # certificates. Clients might
+                                       # cache the CRL, so the expiry
+                                       # period should normally be
+                                       # relatively short (default:
+                                       # 30) for production CAs.
+
+default_md     = sha256                # digest to use
+
+policy         = policy_default        # default policy
+email_in_dn    = no                    # Don't add the email into cert DN
+
+name_opt       = ca_default            # Subject name display option
+cert_opt       = ca_default            # Certificate display option
+
+# We need the following in order to copy Subject Alt Name(s) from a
+# request to the certificate.
+copy_extensions = copy                 # copy extensions from request
+
+[policy_default]
+countryName            = optional
+stateOrProvinceName    = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+# default certificate requests settings
+[req]
+# Options for the `req` tool (`man req`).
+default_bits        = 3072 # for RSA only
+distinguished_name  = req_default
+string_mask         = utf8only
+# SHA-1 is deprecated, so use SHA-256 instead.
+default_md          = sha256
+# do not encrypt the private key file
+encrypt_key         = no
+
+[req_default]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name (full name)
+localityName                    = Locality Name (e.g., city)
+0.organizationName              = Organization Name (e.g., company)
+organizationalUnitName          = Organizational Unit Name (e.g. department)
+commonName                      = Common Name (e.g. server FQDN or YOUR name)
+emailAddress                    = Email Address
+# defaults
+countryName_default                     = UA
+stateOrProvinceName_default             = Kharkiv Oblast
+localityName_default                    = Kharkiv
+0.organizationName_default              = ISC
+organizationalUnitName_default          = Software Engeneering (BIND 9)