WIP: Multiple Certificate-Based Authentication feature

Multiple certificate-based authentication employs two distinct key+cert pairs to authenticate. The mechanism is described here: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/212483-configure-asa-as-the-ssl-gateway-for-any.html . The first certificate, the "machine certificate", is used to establish the TLS session. In practice this is the Windows machine certificate that uniquely identifies the instance of the operating system. The second, the "user certificate", identifies the user by signing a challenge sent by the server. My experience is that the user employs a PIV. The mechanism identifies both the system and user and is used so that only "authorized" systems and users can login.

This patch implements multiple certificate-based authentication. If you compile and link against gnutls, multiple certificate-based authentication works and openconnect will establish sessions using the authentication method. I use this daily to connect to my corporate VPN using TPM2 and PKCS#11. Work remains though, such as writing the openssl implementation, exposing the feature with additional API, refining error messages, and updating documentation.

Refactoring of gnutls.c:load_certificates allows both credentials to be loaded using the same code. The function was parameterized so that a set of key path, cert path, password, etc. could be specified.

This has been tested against gnutls 3.5.14 and 3.6.13.

I'm willing to see this through if you are interested.

Thanks.

~ Tom