It would be nice to have a test asserting that a proxy with identity enabled can still make TLS requests (without mutual auth) before its identity has been certified.

The identity test infrastructure added in linkerd/linkerd2-proxy#227 will be helpful with this, but I think it'll also require implementing a test server that can speak TLS. So this might be slightly more work than #2598.