tlsenum package probes a remote endpoint with one ClientHello
per (version, cipher) pair via utls, so the checker can report the
exact set the server accepts rather than only the suite Go's stdlib
happens to negotiate. Probe accepts an Upgrader callback so STARTTLS
dialects plug in without tlsenum learning about them; the checker
bridges its existing dialect registry through upgraderFor.
Add Chain []CertInfo to TLSProbe, carrying per-cert DER and precomputed
TLSA hashes (Cert/SPKI, SHA-256/SHA-512) plus the raw SPKI DER. This
lets downstream checkers (checker-dane) perform TLSA matching against
the observed chain without re-running a TLS handshake.
