fix: validate the server-presented chain in connect

[danielewood]

Summary

• enforce certkit connect verification against the server-presented certificate path rather than implicitly accepting platform-completed chains
• add --tls-version so TLS 1.2 and TLS 1.3 presentation can be compared directly
• add regression coverage for incomplete presented chains, AIA-assisted recovery, and TLS version pinning
• refresh generated docs and dependency lockfiles required by repo prechecks

Repro

• a server can present a complete path on TLS 1.2 and an incomplete or malformed path on TLS 1.3
• certkit connect --tls-version 1.2 should validate when the peer presents a usable chain
• certkit connect --tls-version 1.3 should fail when the peer omits the required issuer path

Validation

• go test ./...
• local certkit connect checks with pinned TLS 1.2 and TLS 1.3
• repo commit hooks re-run successfully under go1.26.2

[Copilot]

Pull request overview

This PR hardens certkit connect by validating against the server-presented certificate path (instead of allowing platform-assisted completion to mask missing intermediates), and adds a CLI flag to pin the negotiated TLS version for reproducible comparisons across TLS 1.2/1.3 presentation differences.

Changes:

• Enforce “presented-chain” path validation and refine AIA-related diagnostics/behavior in ConnectTLS.
• Add --tls-version parsing/plumbing to pin TLS 1.0–1.3, plus legacy-fallback version checks.
• Add/adjust regression tests for TLS version pinning and incomplete/duplicated presented chains with AIA recovery.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
connect.go	Adds presented-chain path validation helpers, TLS version pinning in config, and updated verification/AIA behavior.
connect_test.go	Adds TLS-version pin test and expands coverage for missing-intermediate/duplicate-leaf and AIA scenarios.
cmd/certkit/connect.go	Adds --tls-version flag + parsing and tweaks JSON trust-status handling for presented-chain failures.
cmd/certkit/connect_test.go	Adds unit tests for parseConnectTLSVersion and updates status-line consistency fixture.
probe_legacy.go	Ensures legacy fallback respects pinned TLS version and reports mismatch.
README.md	Documents the new --tls-version flag.
go.mod / go.sum	Dependency bumps (e.g., x/crypto, x/sys, modernc.org/sqlite, go-pkcs12).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6704355d54

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[danielewood]

@copilot review this pr

[Copilot]

@copilot review this pr

All review comments from the automated review have been addressed in commit 3973933:

1. Trust path logic (connect.go:234–262) – replaced with presentedChainBuildsVerifiedPath which drops only the trust anchor (last cert) from the check, correctly handling non-Mozilla/custom system roots not in the peer chain.

2. CS-5 violation (connect.go:883–886) – newConnectTLSConfig now accepts connectTLSConfigInput (input struct with serverName, clientAuth, version).

3. ERR-2 violation (cmd/certkit/connect.go:451–459) – collectConnectTrustStatus uses the ConnectTrustPathStatus enum instead of matching against an error string.

4. ERR-4 / acronym casing (connect.go:33–35, cmd/certkit/connect.go:39, probe_legacy.go:38) – all TLS-related error strings use "TLS" (uppercase) consistently.

5. Missing expected version in error (probe_legacy.go:405) – version mismatch error now includes both expected and negotiated versions: expected %s, got %s.

6. CHANGELOG – ## [Unreleased] has entries for both the --tls-version flag and the presented-chain validation behavior change.

All tests pass (go test ./...).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /tmp/go-build2066287632/b327/certstore.test /tmp/go-build2066287632/b327/certstore.test -test.paniconexit0 -test.count=1 -test.timeout=2m0s conf�� time/trace/annotation.go time/trace/batch.go ux-amd64/pkg/tool/linux_amd64/compile user.name essage (dns block)
  • Triggering command: /tmp/go-build2066287632/b325/internal.test /tmp/go-build2066287632/b325/internal.test -test.paniconexit0 -test.count=1 -test.timeout=2m0s conf�� ux-amd64/src/os/-p ernal/sysinfo/cpuinfo_linux.go ux-amd64/pkg/tool/linux_amd64/compile user.name go (dns block)
• google.com
  • Triggering command: /tmp/go-build2066287632/b279/certkit.test /tmp/go-build2066287632/b279/certkit.test -test.paniconexit0 -test.count=1 -test.timeout=2m0s conf�� list3/logfilter.go list3/loglist3.go ux-amd64/pkg/tool/linux_amd64/compile credential.usern/home/REDACTED/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.26.0.linux-amd64/pkg/too/tmp/go-build2066287632/b118/vet.cfg (dns block)
• this-does-not-exist.invalid
  • Triggering command: /tmp/go-build2066287632/b279/certkit.test /tmp/go-build2066287632/b279/certkit.test -test.paniconexit0 -test.count=1 -test.timeout=2m0s conf�� list3/logfilter.go list3/loglist3.go ux-amd64/pkg/tool/linux_amd64/compile credential.usern/home/REDACTED/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.26.0.linux-amd64/pkg/too/tmp/go-build2066287632/b118/vet.cfg (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)