Changes based on feedback; add test

psiphon/dialParameters.go

@@ -105,7 +105,6 @@ type DialParameters struct {
 	MeekSNIServerName         string
 	MeekVerifyServerName      string
 	MeekVerifyPins            []string
-	MeekDisableSystemRootCAs  bool
 	MeekHostHeader            string
 	MeekObfuscatorPaddingSeed *prng.Seed
 	MeekTLSPaddingSize        int
@@ -585,7 +584,6 @@ func MakeDialParameters(
 				(len(dialParams.MeekVerifyPins) == 0 || dialParams.MeekVerifyServerName == "") {
 				return nil, errors.TraceNew("TLS certificates must be verified in Conjure API registration")
 			}
-			dialParams.MeekDisableSystemRootCAs = config.DisableSystemRootCAs
 
 			dialParams.MeekDialAddress = net.JoinHostPort(dialParams.MeekFrontingDialAddress, "443")
 			dialParams.MeekHostHeader = dialParams.MeekFrontingHost
@@ -1138,7 +1136,7 @@ func MakeDialParameters(
 			AddPsiphonFrontingHeader:      addPsiphonFrontingHeader,
 			VerifyServerName:              dialParams.MeekVerifyServerName,
 			VerifyPins:                    dialParams.MeekVerifyPins,
-			DisableSystemRootCAs:          dialParams.MeekDisableSystemRootCAs,
+			DisableSystemRootCAs:          config.DisableSystemRootCAs,
 			HostHeader:                    dialParams.MeekHostHeader,
 			TransformedHostName:           dialParams.MeekTransformedHostName,
 			ClientTunnelProtocol:          dialParams.TunnelProtocol,

psiphon/tlsDialer.go

@@ -214,8 +214,7 @@ func CustomTLSDial(
 		(config.VerifyLegacyCertificate != nil &&
 			(config.SkipVerify ||
 				len(config.VerifyServerName) > 0 ||
-				len(config.VerifyPins) > 0 ||
-				config.DisableSystemRootCAs)) ||
+				len(config.VerifyPins) > 0)) ||
 
 		(config.DisableSystemRootCAs &&
 			(!config.SkipVerify &&

psiphon/tlsDialer_test.go

@@ -156,7 +156,7 @@ func TestTLSCertificateVerification(t *testing.T) {
 		t.Errorf("unexpected success without invalid pin")
 	}
 
-	// Test: with the root CA certirficate pinned, the TLS dial succeeds.
+	// Test: with the root CA certificate pinned, the TLS dial succeeds.
 
 	conn, err = CustomTLSDial(
 		context.Background(), "tcp", serverAddr,
@@ -209,6 +209,27 @@ func TestTLSCertificateVerification(t *testing.T) {
 	} else {
 		conn.Close()
 	}
+
+	// Test: with SNI changed, DisableSystemRootCAs set along with
+	// VerifyServerName and VerifyPins, and pinning the TLS dial
+	// succeeds.
+
+	conn, err = CustomTLSDial(
+		context.Background(), "tcp", serverAddr,
+		&CustomTLSConfig{
+			Parameters:           params,
+			Dial:                 dialer,
+			SNIServerName:        "not-" + serverName,
+			DisableSystemRootCAs: true,
+			VerifyServerName:     serverName,
+			VerifyPins:           []string{rootCACertificatePin},
+		})
+
+	if err != nil {
+		t.Errorf("CustomTLSDial failed: %v", err)
+	} else {
+		conn.Close()
+	}
 }
 
 // initTestCertificatesAndWebServer creates a Root CA, a web server
@@ -337,7 +358,7 @@ func initTestCertificatesAndWebServer(
 	// Run an HTTPS server with the server certificate.
 
 	serverKeyPair, err := tls.X509KeyPair(
-		pemServerCertificate, pemServerPrivateKey)
+		append(pemServerCertificate, pemRootCACertificate...), pemServerPrivateKey)
 	if err != nil {
 		t.Fatalf("tls.X509KeyPair failed: %v", err)
 	}