Merge branch 'revocation-fetcher'

Combines concurrent requests for the same CRL URI by multiple threads.
So only the first thread actually fetches it, the others wait for that
result.  This is particularly helpful if the CRL can currently not
be fetched due to DNS or HTTP/LDAP timeouts as it prevents each thread
from having to wait for the complete timeouts, which reduces the number
of SAs that can concurrently be established.

A negative result is cached for a while (currently 3 times the fetch
timeout, i.e. 30 seconds by default) so requests can fail quickly and
threads can continue establishing SAs if they use a relaxed revocation
policy.

Closes strongswan/strongswan#2918