Fixes #869 by adding socat as an rsync-ssl transport.

rsync-ssl currently supports openssl s_client, gnutls-cli and stunnel. The failure reported in #869 points at the openssl s_client path breaking as a transport with OpenSSL 3.6.2 while the investigation in the issue found that stunnel and socat avoid the failure mode. The linked OpenSSL issue, openssl/openssl#30925 still appears to be the upstream place for the s_client regression so this keeps the existing OpenSSL path for compatibility rather than trying to work around that buffering behaviour inside rsync.

This adds --type=socat and RSYNC_SSL_SOCAT.

The socat transport uses:

• OPENSSL:host:port
• commonname=host
• snihost=host for host names
• no-sni=1 for IP literals
• verify=1 when RSYNC_SSL_CA_CERT is unset
• verify=0 when RSYNC_SSL_CA_CERT is set to an empty value
• cafile=... when RSYNC_SSL_CA_CERT is set to a path
• cert=... and key=... for client certificate configuration

The automatic helper search still prefers openssl first, preserving the existing default for users who have OpenSSL installed. If OpenSSL is unavailable, it now tries socat before stunnel. That fallback order is deliberate; in this script, stunnel cannot use the default CA certificate collection while socat can still perform verification without requiring an explicit CA file.

The new testsuite coverage uses fake helper binaries to verify the wrapper/helper contract without requiring a live TLS daemon. It covers explicit --type=socat, socat command construction, SNI handling, CA/cert/key options, disabled verification, OpenSSL-first default selection and socat fallback when OpenSSL is absent.