feat: Configure java connector to check CN instance name. Fixes #1995

[hessjcg]

This code will make that the connector checks that the server certificate's subject CN field matches the instance name
before allowing the TLS handshake to proceed.

This introduces new classes that are always installed as trust managers on all TLS connections to ensure that the TLS logic correctly checks that the server certificate's CN field matches the instance.

• InstanceCheckingTrustManager - Delegates to default TLS trust manager, then checks the CN field.
• InstanceCheckingTrustManagerFactory and InstanceCheckingTrustManagerFactorySpi - Installs
  our custom trust manager into connector TLS sockets.

The ConscryptWorkaroundTrustManagerFactory and ConscryptWorkaroundTrustManagerFactorySpi classes are no longer necessary. Logic to detect Conscrypt and use the workaround ConscryptWorkaroundTrustManager moves into InstanceCheckingTrustManagerFactorySpi.

[enocom]

Do we have a test that verifies a common name mismatch fails the TLS handshake?

[hessjcg]

I added a test for a CN mismatch.

[hessjcg]

@jackwotherspoon We need to manually test this with a domain-scoped instance. Can you do that?

[jackwotherspoon]

@jackwotherspoon We need to manually test this with a domain-scoped instance. Can you do that?

@hessjcg sure, for manually testing should I just run the integration tests? Will that suffice?

[hessjcg]

@jackwotherspoon: Yes, it will be sufficient to run the integration tests at the domain-scoped instance.

[enocom]

FWIW In my opinion, this base class deserves to be split up into small composable units. As is, it's an awkward tool.

[hessjcg]

+1. Maybe in a different PR.

[enocom]

nit: let's make this blatantly wrong, e.g., "wrongwrongwrong" or something similar that catches the eye.

[hessjcg]

Fixed.