A TLS probe result depends only on the set of endpoints actually dialed and
the probe knobs, never on which domain or service published them: the
observation is a map keyed by each endpoint's contract Ref
(host|port|effective SNI|STARTTLS|require). Implement sdk.ObservationSharer so
the host dials a host:port once and serves every target that resolves to the
same endpoint set, instead of re-handshaking per record. This is the
highest-value case among the checkers, since dane, xmpp, srv, dav, … all
funnel their endpoints into this single checker.
The share key sorts the endpoint Refs and folds in the probe timeout and the
cipher-enumeration flag, since both change what is collected (a tighter
timeout can fail a slow handshake; enumeration adds the Enum block). An empty
or unparseable entry set yields "" so the host falls back to per-target
caching.
tlsenum package probes a remote endpoint with one ClientHello
per (version, cipher) pair via utls, so the checker can report the
exact set the server accepts rather than only the suite Go's stdlib
happens to negotiate. Probe accepts an Upgrader callback so STARTTLS
dialects plug in without tlsenum learning about them; the checker
bridges its existing dialect registry through upgraderFor.
The binary doubles as its own healthcheck client via the SDK's
-healthcheck flag, so the probe works in the scratch image
(no shell, no curl, no wget).
Bound line reads with readLineLimited to prevent a peer from exhausting
memory by withholding line terminators, wrap previously bare error
returns for consistent context, surface XML decoder Skip errors, and
replace the goto in the XMPP feature scan with a labeled break. New
starttls_test.go exercises SMTP/IMAP/POP3/XMPP/LDAP success and
not-advertised paths through net.Pipe-mocked servers.
The SDK split the HTTP server scaffolding into the new
checker-sdk-go/checker/server subpackage. Update main.go to import
server and call server.New, and isolate the interactive form code
behind the standalone build tag so plugin/builtin builds skip
net/http entirely.
Add Chain []CertInfo to TLSProbe, carrying per-cert DER and precomputed
TLSA hashes (Cert/SPKI, SHA-256/SHA-512) plus the raw SPKI DER. This
lets downstream checkers (checker-dane) perform TLSA matching against
the observed chain without re-running a TLS handshake.
