Fix hostname validation logic for custom self-signed gov't certificate

[reingart]

The current implementation in _GetValidHostsForCert (no DNS specified, commonName in subject not honored) raises an Exception with a ARBA certificate for https://cot.arba.gov.ar/:

CertificateHostnameMismatch: Server presented certificate that does not match host cot.arba.gov.ar: {'notAfter': 'Jun 22 15:41:12 2020 GMT', 'subjectAltName': (('email', 'seguridadlogica@arba.gov.ar'),), 'subject': ((('countryName', u'AR'),), (('stateOrProvinceName', u'Buenos Aires'),), (('localityName', u'La Plata'),), (('organizationName', u'ARBA'),), (('commonName', u'*.arba.gov.ar'),))}

But, it should work, at least gnutls-cli does:

(venv)reingart@S55t-B:~/src/httplib2/python2$ gnutls-cli cot.arba.gov.ar --x509cafile ~/pyafipws/conf/arba.crt 
Processed 1 CA certificate(s).
Resolving 'cot.arba.gov.ar'...
Connecting to '170.155.16.29:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `C=AR,ST=Buenos Aires,L=La Plata,O=ARBA,CN=*.arba.gov.ar', issuer `DC=arba.gov.ar,C=AR,L=La Plata,ST=Buenos Aires,O=ARBA - Agencia de Recaudacion de la Provincia de Buenos Aires,OU=Seguridad Logica,CN=ARBA - Autoridad Certificante,EMAIL=pki@arba.gov.ar', RSA key 1024 bits, signed using RSA-SHA256, activated `2015-06-24 15:41:12 UTC', expires `2020-06-22 15:41:12 UTC', SHA-1 fingerprint `4a3ca1c3aa12774b7897d2de582dcfb9cfdec4a1'
- The hostname in the certificate matches 'cot.arba.gov.ar'.
- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

This patch implements a logic similar to Python's SSL match_hostname, but being backward compatible.

A custom test and the CA certificate was added too.

Let me know if you need the same for Python3