There may be a lot of different hosts in an SSL test, and over time the keystore may start to get quite large. Also each host certificate takes a few seconds to generate.
So if we could share certificates between hosts - e.g. by creating *.apache.org rather than www.apache.org and jmeter.apache.org - it would speed up the process. Unfortunately, it turns out that there is no simple algorithm to convert a host name to its domain name. The rules vary between registrars. For example, *.xyz.org is OK. but *.co.uk is not. And there are more complicated rules. See for example the test cases here [1] And if the calculation is incorrect, the browser won't trust the certificate. The simplest approach would be to create a certificate for each host, but as already noted, this uses extra time and resources. However it would work; maybe that should be the initial approach? Another approach might be for the user to provide a list of domain names to be tested. This would have the advantage that the certificates could be generated at the start. It would also be easy to match the host against the domain list (the end of the host string must match the full domain with leading .) Any hosts that did not match the domains would require a new cert just for that host, which could be generated on the fly. I'm a bit wary of including a 3rd party library just for this purpose. So I think we have a choice: - certs for all hosts. Simple but a bit inefficient - certs for domains specified by the user. More work for user and to code. So I'm inclined to go with the host per cert implementation, at least for the initial release. Thoughts? [1] http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
