OCSP-stapling enhancement and testing.

Server:
  Honor environment variable as well as running_in_test_harness in permitting bogus staplings
  Update server tests
  Add "-ocsp" option to client-ssl.
  Server side: add verification of stapled status.
  First cut server-mode ocsp testing.
  Fix some uninitialized ocsp-related data.

Client (new):
  Verify stapling using only the chain that verified the server cert, not any acceptable chain.
  Add check for multiple responses in a stapling, which is not handled
  Refuse verification on expired and revoking staplings.
  Handle OCSP client refusal on lack of stapling from server.
  More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
  Add transport hosts_require_ocsp option.
  Log stapling responses.
  Start on tests for client-side.

Testing support:
    Add CRL generation code and documentation update
    Initial CA & certificate set for testing.

BUGFIX:
    Once a single OCSP response has been extracted the validation
    routine return code is no longer about the structure, but the actual
    returned OCSP status.