WIP: Https pinning
This merge request is a work in process about #165 (closed) (CA pinning).
This commit will enforce more robust tls practices (TLS >= 1.2) and pinning Let's Encrypt as a CA.
As requested in the comments, there is support for user-accepted degradation: the user can choose to stop pinning on Let's Encrypt if she thinks that's a good idea. The degraded connection will still do proper certificate validation using (all) the system CAs and require TLS >= 1.2
I expect the code to still be somewhat immature, especially the part dealing with user interaction. Please test and find bugs! Here is a short list of test cases that one could run:
- using a website that has valid, but is not signed by Let's Encrypt should prompt the degradation dialog. If saying yes, the connection must be successful. Example https://facebook.com
- using a website that has an invalid certificate must first give a warning about pinning. Even if accepting the degradation, there should still be an error. Example https://ientu.net
- using a website that does not support TLS1.2 must give an error (examples?)