The fronting-domain step only opened a bare TCP connection, so a missing,
expired, untrusted or wrong-host certificate still reported a green check.
That is exactly the misleading result reported in #518.

After the TCP dial, perform a default crypto/tls handshake against the
fronting endpoint with ServerName set to the secret host. Standard
verification validates the chain against the system roots, checks the leaf
SAN against the secret host, and enforces the validity period in one step,
so expired/untrusted/wrong-host certificates surface as descriptive x509
errors.

The dial target still honors the domain-fronting.host override while SNI
stays the secret host, matching what domain fronting puts on the wire.

When proxy-protocol is enabled the listener expects a PROXY header before
the ClientHello, which doctor does not emit yet; the certificate probe is
skipped with an informational note instead of reporting a false negative.