[pierrebarre]

What are the things that you think are best handled by the browser while negotiating a session?

[rfd4sgmk8u]

The connection parameters including encryption parameters and certificate from the origin. There are a lot of weird rules in WebPKI you may miss, this is beyond a general purpose TLS library.

Enforcing Certificate Transparency rules or CAA records, is the proxy doing this?

[ThePowerOfFuet]

Which browser enforces CAA?

it's a certificate misissuance, but AFAIK it's not up to the browser.