OutlineFoundation · fortuna · Jun 16, 2026 · Jun 16, 2026 · Jun 16, 2026 · Jun 16, 2026
diff --git a/transport/tls/stream_dialer_test.go b/transport/tls/stream_dialer_test.go
@@ -19,15 +19,20 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	stdTLS "crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"math/big"
+	"io"
+	"log"
 	"net"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 	"time"
 
-	"golang.getoutline.org/sdk/transport"
 	"github.com/stretchr/testify/require"
+	"golang.getoutline.org/sdk/transport"
 )
 
 func TestDomain(t *testing.T) {
@@ -44,17 +49,53 @@ func TestDomain(t *testing.T) {
 }
 
 func TestUntrustedRoot(t *testing.T) {
-	sd, err := NewStreamDialer(&transport.TCPDialer{})
+	now := time.Now()
+	rootCA, rootKey := createRootCA(t)
+	leafCert, leafKey := createLeafCert(t,
+		[]string{"localhost"},
+		[]net.IP{net.ParseIP("127.0.0.1")},
+		rootCA, rootKey,
+		now.Add(-time.Hour), now.Add(time.Hour),
+	)
+
+	addr := serveTLSHandshakes(t, stdTLS.Certificate{
+		Certificate: [][]byte{leafCert.Raw},
+		PrivateKey:  leafKey,
+	})
+	host, _, err := net.SplitHostPort(addr)
+	require.NoError(t, err)
+
+	verifier := &StandardCertVerifier{CertificateName: host, Roots: x509.NewCertPool()}
+	sd, err := NewStreamDialer(&transport.TCPDialer{}, WithCertVerifier(verifier))
 	require.NoError(t, err)
-	_, err = sd.DialStream(context.Background(), "untrusted-root.badssl.com:443")
+	_, err = sd.DialStream(context.Background(), addr)
 	var certErr x509.UnknownAuthorityError
 	require.ErrorAs(t, err, &certErr)
 }
 
 func TestExpired(t *testing.T) {
-	sd, err := NewStreamDialer(&transport.TCPDialer{})
+	now := time.Now()
+	rootCA, rootKey := createRootCA(t)
+	leafCert, leafKey := createLeafCert(t,
+		[]string{"localhost"},
+		[]net.IP{net.ParseIP("127.0.0.1")},
+		rootCA, rootKey,
+		now.Add(-2*time.Hour), now.Add(-time.Hour),
+	)
+	rootPool := x509.NewCertPool()
+	rootPool.AddCert(rootCA)
+
+	addr := serveTLSHandshakes(t, stdTLS.Certificate{
+		Certificate: [][]byte{leafCert.Raw},
+		PrivateKey:  leafKey,
+	})
+	host, _, err := net.SplitHostPort(addr)
+	require.NoError(t, err)
+
+	verifier := &StandardCertVerifier{CertificateName: host, Roots: rootPool}
+	sd, err := NewStreamDialer(&transport.TCPDialer{}, WithCertVerifier(verifier))
 	require.NoError(t, err)
-	_, err = sd.DialStream(context.Background(), "expired.badssl.com:443")
+	_, err = sd.DialStream(context.Background(), addr)
 	var certErr x509.CertificateInvalidError
 	require.ErrorAs(t, err, &certErr)
 	require.Equal(t, x509.Expired, certErr.Reason)
@@ -171,6 +212,17 @@ type countedStreamConn struct {
 	counter *connCounterDialer
 }
 
+func serveTLSHandshakes(t *testing.T, cert stdTLS.Certificate) string {
+	t.Helper()
+
+	srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+	srv.TLS = &stdTLS.Config{Certificates: []stdTLS.Certificate{cert}}
+	srv.Config.ErrorLog = log.New(io.Discard, "", 0)
+	srv.StartTLS()
+	t.Cleanup(srv.Close)
+	return srv.Listener.Addr().String()
+}
+
 func (d *connCounterDialer) DialStream(ctx context.Context, raddr string) (transport.StreamConn, error) {
 	conn, err := d.base.DialStream(ctx, raddr)
 	if conn != nil {