Add tls_outgoing_options_for_retries

[rousskov]

acl downgrade ...
tls_outgoing_options cipher=ALL@SECLEVEL=4
tls_outgoing_options_for_retries cipher=ALL@SECLEVEL=3 if downgrade

This directive is handy in environments where Squid should communicate using strict TLS options by default (see tls_outgoing_options) but may relax those restrictions to accommodate certain older origin servers that require inferior (but still deemed "secure enough") settings.

Popular browsers also retry with special TLS options after certain TLS failures, so we are not inventing something new here. Unfortunately, Squid cannot rely on those client features, for several reasons. For example, Squid may not have (or may be unable to relay) enough TLS server information to trigger browser-initiated retries. Squid may also be dealing with a user agent that does not retry (to Squid admin's satisfaction).