Make redbean SSL more tunable

This change enables SSL compression. It significantly reduces the
network load of the testing infrastructure, for free, since this
revision didn't need to change any runit protocol code. However we
turn it off by default in redbean since no browsers support it.

It turns out that some TLSv1.0 clients (e.g. curl command on RHEL5) will
send an SSLv2-style ClientHello. These types of clients are usually ten+
years old and were designed to interop with servers ten years older than
them. Your redbean is now able to interop with these clients even though
redbean doesn't actually support SSLv2 or SSLv3. Please note that the -B
flag may be passed to disable this along with TLSv1.0, TLSv1.1, 3DES, &c

The following Lua APIs have been added to redbean:

  - ProgramSslCompression(bool)
  - ProgramSslCiphersuite(name:str)
  - ProgramSslPresharedKey(key:str,identity:str)

Lastly the DHE ciphersuites have been enabled. IANA recommends DHE and
with old clients like RHEL5 it's the only perfect forward secrecy they
implement.

third_party/mbedtls/config.h

@@ -16,7 +16,6 @@
 /*#define MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL*/
 /*#define MBEDTLS_SSL_PROTO_DTLS*/
 /*#define MBEDTLS_SSL_PROTO_SSL3*/
-/*#define MBEDTLS_ZLIB_SUPPORT*/
 #endif
 
 /* hash functions */
@@ -74,8 +73,8 @@
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-/*#define MBEDTLS_DHM_C*/
-/*#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED*/
+#define MBEDTLS_DHM_C
+#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
 /*#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED*/
 /*#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED*/
 /*#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED*/
@@ -110,14 +109,44 @@
 #define MBEDTLS_ENTROPY_MAX_SOURCES       4
 #define MBEDTLS_X509_MAX_INTERMEDIATE_CA  8
 
-/* boosts performance from 230k qps to 330k */
 #ifndef TINY
-#ifndef __FSANITIZE_ADDRESS__
+/*
+ * Boosts performance from 230k qps to 330k
+ * Hardens against against sbox side channels
+ */
+#define MBEDTLS_AESNI_C
 #define MBEDTLS_HAVE_ASM
 #define MBEDTLS_HAVE_X86_64
 #define MBEDTLS_HAVE_SSE2
-#define MBEDTLS_AESNI_C
 #endif
+
+#ifndef TINY
+/*
+ * TODO(jart): RHEL5 sends SSLv2 hello even though it supports TLS. Is
+ *             DROWN really a problem if we turn this on? Since Google
+ *             supports it on their website. SSLLabs says we're OK.
+ */
+#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+#endif
+
+#ifndef TINY
+/*
+ * The CIA says "messages should be compressed prior to encryption"
+ * because "compression reduces the amount of information to be
+ * encrypted, thereby decreasing the amount of material available for
+ * cryptanalysis. Additionally, compression is designed to eliminate
+ * redundancies in the message, further complicating cryptanalysis."
+ *
+ * Google says that if you (1) have the ability to record encrypted
+ * communications made by a machine and (2) have the ability to run code
+ * on that machine which injects plaintext repeatedly into the encrypted
+ * messages, then you can extract other small parts of the mesasge which
+ * the code execution sandbox doesn't allow you to see, and that the
+ * only solution to stop using compression.
+ *
+ * Since we pay $0.12/gb for GCP bandwidth we choose to believe the CIA.
+ */
+#define MBEDTLS_ZLIB_SUPPORT
 #endif
 
 #if IsModeDbg()