api request helper: enforce TLS cert-check and add cert-fingerprint option

api request helper: enforce TLS cert-check and add cert-fingerprint option

Currently, we do not verify the TLS certificate for API requests
external IPAM and DNS integration. This could allow man-in-the-middle
attacks, albeit most IPAM infrastructure is on controlled and isolated
LANs, so it's not something that should frequently happen; and
technically our IPAM integration is still marked as tech-preview,
which had its reasons.

Enforce verification, and allow users to pass a cert SHA256
fingerprint to ensure a certificates validity if it's not trusted by
the system trust store, as it's, e.g., the case for self-signed certs.

The code was adapted from the one in pve-apiclient, which we cannot
reuse directly as it is only implemented for requests against PVE
nodes, not as a generic HTTP client request helper.

Add the new dependency `libio-socket-ssl-perl` required to get the
verify callback for the TLS certificate used for cert-fingerprint
checking.

Signed-off-by: Hannes Duerr <h.duerr@proxmox.com>
Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
 [TL: return valid for non-leaf certs and rewrite commit message]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>