security/stunnel: Add missing protocols, OCSP toggle, fix service status

[newTomas]

This PR adds several improvements to the stunnel plugin:

1. Add all missing protocols - Added cifs, capwin, capwinctrl, connect, pgsql, proxy, socks protocols from stunnel documentation.

2. Add OCSP AIA toggle - New checkbox to enable OCSP certificate verification.

3. Fix service status detection - Status check was incorrectly reporting "stopped" when identd_stunnel was not running, even if main stunnel service was running. Fixed by checking only main stunnel service status.

[AdSchellevis]

if there's an issue with the status call, this probably isn't the place to fix it (as it will ignore the identd process in full now).

[newTomas]

As I understand it, the check takes place in the base class
/usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableServiceControllerBase.php:

if (strpos($response, 'not running') > 0) {
    if ($this->serviceEnabled()) {
        $status = 'stopped';
    } else {
        $status = 'disabled';
    }
} elseif (strpos($response, 'is running') > 0) {
    $status = 'running';
} elseif (!$this->serviceEnabled()) {
    $status = 'disabled';
} else {
    $status = 'unknown';
}

By default, the ident is disabled, which is why the status command returns:

stunnel is running as pid 78451.
identd_stunnel is not running.

The code first searches for the string 'not running' and sets the status to 'stopped'
Ideally, the stunnel and ident status should be displayed separately, but I suspect you'll have to change the OPNsense base class to do this. Correct me if I'm wrong.

[fichtner]

the question is not which line to change but which output we expect. A single service status should return a single line IMO even though that's not always the case. We can mask one status line or filter for the backend to see the right thing.