Sharing SSL certificates between hosts in the same domain

[sebb <se...@gmail.com>]

There may be a lot of different hosts in an SSL test, and over time
the keystore may start to get quite large. Also each host certificate
takes a few seconds to generate.

So if we could share certificates between hosts - e.g. by creating
*.apache.org rather than www.apache.org and jmeter.apache.org - it
would speed up the process.

Unfortunately, it turns out that there is no simple algorithm to
convert a host name to its domain name. The rules vary between
registrars.

For example, *.xyz.org is OK. but *.co.uk is not. And there are more
complicated rules.
See for example the test cases here [1]

And if the calculation is incorrect, the browser won't trust the certificate.

The simplest approach would be to create a certificate for each host,
but as already noted, this uses extra time and resources. However it
would work; maybe that should be the initial approach?

Another approach might be for the user to provide a list of domain
names to be tested.
This would have the advantage that the certificates could be generated
at the start.
It would also be easy to match the host against the domain list (the
end of the host string must match the full domain with leading .)
Any hosts that did not match the domains would require a new cert just
for that host, which could be generated on the fly.

I'm a bit wary of including a 3rd party library just for this purpose.

So I think we have a choice:
- certs for all hosts. Simple but a bit inefficient
- certs for domains specified by the user. More work for user and to code.

So I'm inclined to go with the host per cert implementation, at least
for the initial release.

Thoughts?

[1] http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1