Create QuicSslEngine for client with parameter peer host to meet hostname checker requirements

[zrlw]

What is the purpose of the change?

1. Since Netty 4.2.11.Final, hostname checker was enabled by default, the checker will get expected hostname from the session created by client QuicSslEngine, but current dubbo created client QuicSslEngine without parameter peerhost and the CertificateException will be thrown at sun.security.util.HostnameChecker#match due to null expectedName ,

    public void match(String expectedName, X509Certificate cert,
                      boolean chainsToPublicCA) throws CertificateException {
        if (expectedName == null) {
            throw new CertificateException("Hostname or IP address is " +
                    "undefined.");
        }
        if (isIpAddress(expectedName)) {
           matchIP(expectedName, cert);
        } else {
           matchDNS(expectedName, cert, chainsToPublicCA);
        }
    }

so we should create QuicSslEngine for client with parameter peer host to support hostname checker.

2. The server.pem for TripleHttp3ProtocolTest changed by adding SAN (set ip address to 127.0.0.1) configuration to meet HostnameChecker match requirements.

Checklist

• Make sure there is a GitHub_issue field for the change.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Write necessary unit-test to verify your logic correction. If the new feature or significant change is committed, please remember to add sample in dubbo samples project.
• Make sure gitHub actions can pass. Why the workflow is failing and how to fix it?

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.75%. Comparing base (8814afa) to head (c99e00f).

Additional details and impacted files

@@             Coverage Diff              @@
##                3.3   #16200      +/-   ##
============================================
- Coverage     60.79%   60.75%   -0.04%     
+ Complexity    11751    11749       -2     
============================================
  Files          1953     1953              
  Lines         89119    89120       +1     
  Branches      13444    13444              
============================================
- Hits          54177    54149      -28     
- Misses        29368    29396      +28     
- Partials       5574     5575       +1     

Flag	Coverage Δ
integration-tests-java21	32.11% <0.00%> (-0.02%)	⬇️
integration-tests-java8	32.18% <0.00%> (+0.01%)	⬆️
samples-tests-java21	32.20% <100.00%> (+0.03%)	⬆️
samples-tests-java8	29.70% <0.00%> (-0.12%)	⬇️
unit-tests-java11	59.03% <100.00%> (+0.01%)	⬆️
unit-tests-java17	58.50% <100.00%> (-0.04%)	⬇️
unit-tests-java21	58.51% <100.00%> (-0.02%)	⬇️
unit-tests-java25	58.49% <100.00%> (+0.01%)	⬆️
unit-tests-java8	59.01% <100.00%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR updates Dubbo’s HTTP/3 (QUIC) TLS setup to satisfy Netty’s default hostname verification by ensuring the client-side QUIC SSLEngine is created with a peer host, and refreshes the test server certificate to include a SAN for 127.0.0.1.

Changes:

• Create the client QUIC SSLEngine with (peerHost, peerPort) via sslEngineProvider(...) to support hostname verification.
• Stop explicitly disabling endpoint identification in the HTTP/3 client SSL context builder.
• Update the HTTP/3 test server certificate (server.pem) to include SAN IP:127.0.0.1.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
dubbo-rpc/dubbo-rpc-triple/src/test/resources/certs/server.pem	Updates test server certificate to meet hostname verification (SAN) requirements.
dubbo-remoting/dubbo-remoting-http3/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyHttp3ConnectionClient.java	Creates QUIC SSLEngine with peer host/port via sslEngineProvider.
dubbo-remoting/dubbo-remoting-http3/src/main/java/org/apache/dubbo/remoting/http3/Http3SslContexts.java	Removes explicit disabling of endpoint identification algorithm for client QUIC SSL context.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The hostname passed to the QUIC SSLEngine is taken from url.getHost()/getPort(), but the actual remote endpoint is getConnectAddress() (which applies NetUtils.filterLocalHost(...) in AbstractClient#getConnectAddress). These can diverge for values like 127.x, 0.0.0.0, or localhost, causing hostname verification to validate against a different name than the one actually connected to (false failures or, worse, validating the wrong peer). Consider using the host/port from getConnectAddress() (or applying the same filterLocalHost logic) when creating the engine.