Make redbean SSL more tunable

This change enables SSL compression. It significantly reduces the
network load of the testing infrastructure, for free, since this
revision didn't need to change any runit protocol code. However we
turn it off by default in redbean since no browsers support it.

It turns out that some TLSv1.0 clients (e.g. curl command on RHEL5) will
send an SSLv2-style ClientHello. These types of clients are usually ten+
years old and were designed to interop with servers ten years older than
them. Your redbean is now able to interop with these clients even though
redbean doesn't actually support SSLv2 or SSLv3. Please note that the -B
flag may be passed to disable this along with TLSv1.0, TLSv1.1, 3DES, &c

The following Lua APIs have been added to redbean:

  - ProgramSslCompression(bool)
  - ProgramSslCiphersuite(name:str)
  - ProgramSslPresharedKey(key:str,identity:str)

Lastly the DHE ciphersuites have been enabled. IANA recommends DHE and
with old clients like RHEL5 it's the only perfect forward secrecy they
implement.

tool/net/help.txt

@@ -471,7 +471,7 @@ FUNCTIONS
    DecodeBase64(ascii:str) → binary:str
            Turns ASCII into binary, in a permissive way that ignores
            characters outside the base64 alphabet, such as whitespace. See
-           decodebase64.c.
+            decodebase64.c.
 
    DecodeLatin1(iso-8859-1:str) → utf-8:str
            Turns ISO-8859-1 string into UTF-8.
@@ -850,6 +850,86 @@ FUNCTIONS
            If this option is programmed then redbean will not transmit a
            Server Name Indicator (SNI) when performing Fetch() requests.
 
+   ProgramSslCompression(bool)
+           This option may be used to enable SSL DEFLATE support. This
+           can harden against cryptanalysis but we leave it off by
+           default since (1) we already have compression at the HTTP
+           layer and (2) there doesn't appear to be any browsers or
+           open source software that support it.
+
+   ProgramSslPresharedKey(key:str, identity:str)
+           This function can be used to enable the PSK ciphersuites
+           which simplify SSL and enhance its performance in controlled
+           environments. `key` may contain 1..32 bytes of random binary
+           data and identity is usually a short plaintext string. The
+           first time this function is called, the preshared key will
+           be added to both the client and the server SSL configs. If
+           it's called multiple times, then the remaining keys will be
+           added to the server, which is useful if you want to assign
+           separate keys to each client, each of which needs a separate
+           identity too. If this function is called multiple times with
+           the same identity string, then the latter call will overwrite
+           the prior. If a preshared key is supplied and no certificates
+           or key-signing-keys are programmed, then redbean won't bother
+           auto-generating any serving certificates and will instead use
+           only PSK ciphersuites.
+
+   ProgramSslCiphersuite(name:str)
+           This function may be called multiple times to specify which
+           ciphersuites should be used in the server and client. The
+           default list, ordered by preference, is as follows:
+
+               ECDHE-ECDSA-AES256-GCM-SHA384
+               ECDHE-ECDSA-AES128-GCM-SHA256
+               ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
+               ECDHE-PSK-AES256-GCM-SHA384
+               ECDHE-PSK-AES128-GCM-SHA256
+               ECDHE-PSK-CHACHA20-POLY1305-SHA256
+               ECDHE-RSA-AES256-GCM-SHA384
+               ECDHE-RSA-AES128-GCM-SHA256
+               ECDHE-RSA-CHACHA20-POLY1305-SHA256
+               DHE-RSA-AES256-GCM-SHA384
+               DHE-RSA-AES128-GCM-SHA256
+               DHE-RSA-CHACHA20-POLY1305-SHA256
+               ECDHE-ECDSA-AES128-CBC-SHA256
+               ECDHE-RSA-AES256-CBC-SHA384
+               ECDHE-RSA-AES128-CBC-SHA256
+               DHE-RSA-AES256-CBC-SHA256
+               DHE-RSA-AES128-CBC-SHA256
+               ECDHE-PSK-AES256-CBC-SHA384
+               ECDHE-PSK-AES128-CBC-SHA256
+               ECDHE-ECDSA-AES256-CBC-SHA
+               ECDHE-ECDSA-AES128-CBC-SHA
+               ECDHE-RSA-AES256-CBC-SHA
+               ECDHE-RSA-AES128-CBC-SHA
+               DHE-RSA-AES256-CBC-SHA
+               DHE-RSA-AES128-CBC-SHA
+               ECDHE-PSK-AES256-CBC-SHA
+               ECDHE-PSK-AES128-CBC-SHA
+               RSA-AES256-GCM-SHA384
+               RSA-AES128-GCM-SHA256
+               RSA-AES256-CBC-SHA256
+               RSA-AES128-CBC-SHA256
+               RSA-AES256-CBC-SHA
+               RSA-AES128-CBC-SHA
+               PSK-AES256-GCM-SHA384
+               PSK-AES128-GCM-SHA256
+               PSK-CHACHA20-POLY1305-SHA256
+               PSK-AES256-CBC-SHA384
+               PSK-AES128-CBC-SHA256
+               PSK-AES256-CBC-SHA
+               PSK-AES128-CBC-SHA
+               ECDHE-RSA-3DES-EDE-CBC-SHA
+               DHE-RSA-3DES-EDE-CBC-SHA
+               ECDHE-PSK-3DES-EDE-CBC-SHA
+               RSA-3DES-EDE-CBC-SHA
+               PSK-3DES-EDE-CBC-SHA
+
+           The names above are canonical to redbean and were simplified
+           programmatically from the official IANA names. This function
+           will accept the IANA names too. In most cases it will accept
+           the OpenSSL and GnuTLS naming convention as well.
+
    IsDaemon() → bool
            Returns true if -d flag was passed to redbean.