fix(ndt7): force our bundled CA pool (#700)

This change should prevent old clients (e.g., Android 6) from
failing to perform a ndt7 experiment because their internal CA
bundle is now too old.

Reference issue: https://github.com/ooni/probe/issues/2031

While there, run `go mod tidy` to fix a minor inconsistence in
the current `go.mod` file.

This diff WILL require a backport to release/3.14.

internal/engine/experiment/ndt7/dial.go

@@ -17,7 +17,6 @@ type dialManager struct {
 	logger          model.Logger
 	proxyURL        *url.URL
 	readBufferSize  int
-	tlsConfig       *tls.Config
 	userAgent       string
 	writeBufferSize int
 }
@@ -43,10 +42,15 @@ func (mgr dialManager) dialWithTestName(ctx context.Context, testName string) (*
 		Logger:              mgr.logger,
 		ProxyURL:            mgr.proxyURL,
 	}, reso)
+	// We force using our bundled CA pool, which should fix
+	// https://github.com/ooni/probe/issues/2031
+	tlsConfig := &tls.Config{
+		RootCAs: netxlite.NewDefaultCertPool(),
+	}
 	dialer := websocket.Dialer{
 		NetDialContext:  dlr.DialContext,
 		ReadBufferSize:  mgr.readBufferSize,
-		TLSClientConfig: mgr.tlsConfig,
+		TLSClientConfig: tlsConfig,
 		WriteBufferSize: mgr.writeBufferSize,
 	}
 	headers := http.Header{}