The New CBQ shell needs to support CA server certificates for encrypting client-server communication in watson

CBQ needs to support CA server certificates for encrypting client-server communication in watson

CBQ needs to verify CA-signed certificates received from cbq-engine. In 4.0 and 4.1, CBQ does no cert verification; it is explicitly configured to skip verification (https://github.com/couchbase/query/blob/master/shell/cbq/shell.go#L43)

The PRD for CA signed certs (https://goo.gl/tftXbs) is requesting for CBQ to validate the cert received from cbq-engine when it is a CA signed cert (section 3 "Enabling CA authentication"). To implement, CBQ must revert to the default behaviour (basically, don't skip verification when initializing tls). If the cert is installed in the local system root it will be picked up by the Go tls library (see "RootCAs" in https://golang.org/pkg/crypto/tls/). Alternatively, CBQ can be explicitly passed or configured with the path to the CA cert; examples of this:
https://gist.github.com/michaljemala/d6f4e01c4834bf47a9c4 - note verification of client by server is not required
http://stackoverflow.com/questions/21562269/golang-how-to-specify-certificate-in-tls-config-for-http-client
https://github.com/hydrogen18/test-tls

To summarize:
1) Self-signed server cert - no cert verification required (CBQ behaves per 4.0/4.1)
2) CA-signed server cert - CBQ should verify the cert received from cbq-engine

Dependency:
Implementation of CA-signed certs in Couchbase Server

Background:
https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html
https://golang.org/pkg/crypto/tls/
http://www.hydrogen18.com/blog/your-own-pki-tls-golang.html
https://coreos.com/etcd/docs/0.4.7/etcd-security/