Redo PR for Opossum

Fixes #2833

This does a check for the opossum vulnerability, see https://opossum-attack.com/ .

It uses a separate function to send the payload and retrieve the result via `http_header_printf()`.  It doesn't use curl or wget. The latter wouldn't work anyway as according to the manpage as the HTTP header which needs to be sent must not contain LFs.  This function was introduced because `http_get_header()` -- which was renamed to `http_head()` -- could use wget if curl is not available. On the way to this PR `http_head()` was improved, so that timeouts were used for curl and wget for better maturity.

`http_header_printf()` now uses bach sockets , strips the URI so that a plaintext request is made. This will be done in the background because not every host will answer.

Done also:
- handling when PROXY is requested (try anyway directly as the payload is not "proxyable")
- print a message when no HTTP service is present
- try hard to use plaintext HTTP when auth is required for HTTPS and service HTTP would not be defined otherwise
- manpages
- help

Also when pwnedkeys are checked a not pwned certificate is labled not neutral but OK=green.

doc/testssl.1.html

@@ -590,6 +590,8 @@
         <code>CCS_MAX_WAITSOCK</code>.</p>
         <p><code>-T, --ticketbleed</code> Checks for Ticketbleed memory
         leakage in BigIP loadbalancers.</p>
+        <p><code>--OP, --opossum</code> Checks for HTTP to HTTPS upgrade
+        vulnerability named Opossum.</p>
         <p><code>--BB, --robot</code> Checks for vulnerability to ROBOT
         / (<em>Return Of Bleichenbacher’s Oracle Threat</em>)
         attack.</p>
@@ -1131,6 +1133,7 @@
         <ul>
         <li>RFC 2246: The TLS Protocol Version 1.0</li>
         <li>RFC 2595: Using TLS with IMAP, POP3 and ACAP</li>
+        <li>RFC 2817: Upgrading to TLS Within HTTP/1.1</li>
         <li>RFC 2818: HTTP Over TLS</li>
         <li>RFC 2830: Lightweight Directory Access Protocol (v3):
         Extension for Transport Layer Security</li>