[PATCH] test/ssl: rework the sslfiles Makefile target

Hello all,

Andrew pointed out elsewhere [1] that it's pretty difficult to add new
certificates to the test/ssl suite without blowing away the current
state and starting over. I needed new cases for the NSS backend work,
and ran into the same pain, so here is my attempt to improve the
situation.

For the common case -- adding a new certificate/key pair -- all you
have to do now is drop one new .config file into the test/ssl
directory, add it to either the CLIENTS or SERVERS list, and run `make
sslfiles`. No cleaning necessary.

The core architectural addition: by making use of both order-only
dependencies and intermediate file cleanup, the CA state will be
recreated (exactly once) on demand for each Make run, assign serial
numbers to new certificates in increasing order, and then be
automatically removed at the end of the Make run. So it should be much
harder to accumulate junk state during incremental development.

== Improvements ==

- The sslfiles target no longer needs to be preceded by sslfiles-clean
to work correctly.

- I've removed some incorrect dependencies, added missing ones, and
moved others to order-only (such as the CA state files -- we need them
to exist, but the changes they accumulate should not force other
certificates to be regenerated).

- Most of the copy-paste recipes have been consolidated, and some
existing copy-paste cruft has disappeared as a result. The unused
server-ss certificate has been removed entirely.

- Serial number collisions are less likely, thanks to Andrew's idea to
use the current clock time as the initial serial number in a series.

- All the .config files are now self-contained (i.e. they contain all
the required extension information), which simplifies the OpenSSL
recipes significantly. No more -extfile wrangling.

== Downsides ==

- I am making _heavy_ use of GNU Make-isms, which does not improve
long-term maintainability.

== Possible Future Work ==

- I haven't quite fixed the dependency situation for the CRL hash
directories -- there are situations where they could be incorrectly
remade. (Relying on directories' timestamps is perilous.) But I think I
have not made the situation worse than it is today.

- Because all of these generated files are still checked in, if you run
`make sslfiles` after checking out the ssl artifacts directory for the
first time, Make may decide to regenerate some files due to the more
recent timestamps. I don't see an easy way around this. You can reset
Make's view of things with a `touch ssl/*`, but it'd be nice if it
didn't happen to begin with.

I recommend using a diff driver for the new certificates and CRLs so
that you can see the actual changes -- the only things that should have
changed are the serial numbers, the timestamps, and the signature
blobs.

WDYT? I missed the boat slightly for the current commitfest, so I'll
add this patch to the next one.

--Jacob

[1] https://www.postgresql.org/message-id/fd96ae76-a8e3-ef8e-a642-a592f5b76771%40dunslane.net