It would be good to have ongoing tests for the domains we use as fronts for anticensorship, e.g.: https://www.google.com/ https://a0.awsstatic.com/ https://ajax.aspnetcdn.com/ I would love to have periodic checks that 1) each domain is accessible, and 2) the certificate chain is what we expect, to find MITM attempts.
I suppose the existing nettests/blocking/http_requests.py can handle simple HTTPS connectivity. Is it easy to add the URLs above to the standard tests?
I'm less sure about how to get the certificate chain. I did some searching and didn't find a way to get the certificate chain from the twisted.web.client.Agent that templates/httpt.py uses (maybe you provide it a twisted.internet.ssl.ContextFactory somehow?). nettests/experimental/tls_handshake.py doesn't seem to be quite what I want. What do you suggest?