Fix SNI tests for LibreSSL

Since beginning of 2022, LibreSSL dropped support for IP addresses in
SNI. This is aligned to RFC 6066, section 3:

> Literal IPv4 and IPv6 addresses are not permitted in "HostName".

In order to deal with it, make servers listen on and clients connect to
"localhost" instead of "127.0.0.1" and adjust "server.crt" to use
"localhost" as Common Name instead of "127.0.0.1".

Author: lgv5

t/mojo/certs/server.crt

@@ -1,12 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBsjCCARsCCQCptEBZlSnk3jANBgkqhkiG9w0BAQUFADAaMQswCQYDVQQGEwJV
-UzELMAkGA1UEAxMCY2EwHhcNMTQxMjEyMDUwMzI1WhcNMzQxMjA3MDUwMzI1WjAh
-MQswCQYDVQQGEwJVUzESMBAGA1UEAxMJMTI3LjAuMC4xMIGfMA0GCSqGSIb3DQEB
+MIIBsjCCARsCCQCM8WLoRPCPATANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQGEwJV
+UzELMAkGA1UEAxMCY2EwHhcNMjMwMjI1MTc1NjAwWhcNNDMwMjIwMTc1NjAwWjAh
+MQswCQYDVQQGEwJVUzESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEB
 AQUAA4GNADCBiQKBgQDDhbj7nsfzahPilwn6pGdo6nKYCR21WZ73CuwPN86DmsZi
 5LIRYRfKA0unape2BQBnMnSmInaXvHHBdVsTyt3XSFZj5+iCF9RcorXAqcDygScj
 8MTWYAZxCu3lGAjtw0bGGYutlLg5jtEXvZwfe61XfJj9xDUPNQrP7mf/HTBmgQID
-AQABMA0GCSqGSIb3DQEBBQUAA4GBACRIx9fB4x8UO44C9TGj3bKb1NX3bkuHMz0m
-WdhCkzUUiANtRMxp2oLA3KHY4yOusZLZIUNyP10Ri5q/U1mR0poYCMm7AYee2OV7
-NdQIyppeDLoWQ9uPISPjp1d+zjpGOrLrSkpD1rYLVw4R56A9ZQks/LNs6TSceZjZ
-c5QST/9i
+AQABMA0GCSqGSIb3DQEBCwUAA4GBABjuNiXMWmGIr4LU7hypd4QKFZDfHyFFw21h
+dRhFp4cBq+A/9cDW7CBmKuVvBwYtkLSzQf0Y2/55mx1hz85NjRiSdDENWLncW8sA
+qt0mS9eX6s9HMeYNcT9ngPoAAUmkGT3/tAXwmejvu2XKBt8UBcnpJdt40YYq1wIH
+9lcg5Hni
 -----END CERTIFICATE-----

t/mojo/daemon_ipv6_tls.t

@@ -41,8 +41,8 @@ subtest 'IPv6, TLS, SNI and a proxy' => sub {
   $daemon = Mojo::Server::Daemon->new(app => app, silent => 1);
   my $listen
     = 'https://[::1]'
-    . '?127.0.0.1_cert=t/mojo/certs/server.crt'
-    . '&127.0.0.1_key=t/mojo/certs/server.key'
+    . '?localhost_cert=t/mojo/certs/server.crt'
+    . '&localhost_key=t/mojo/certs/server.key'
     . '&example.com_cert=t/mojo/certs/domain.crt'
     . '&example.com_key=t/mojo/certs/domain.key';
   my $forward = $daemon->listen([$listen])->start->ports->[0];
@@ -54,7 +54,7 @@ subtest 'IPv6, TLS, SNI and a proxy' => sub {
   is $tx->res->code, 200,      'right status';
   is $tx->res->body, 'works!', 'right content';
   ok !$tx->error, 'no error';
-  $tx = $ua->get("https://127.0.0.1/");
+  $tx = $ua->get("https://localhost/");
   is $tx->res->code, 200,      'right status';
   is $tx->res->body, 'works!', 'right content';
   ok !$tx->error, 'no error';

t/mojo/ioloop_tls.t

@@ -14,7 +14,7 @@ plan skip_all => 'IO::Socket::SSL 2.009+ required for this test!'     unless Moj
 # openssl req -x509 -days 7300 -key ca.key -in ca.csr -out ca.crt
 #
 # openssl genrsa -out server.key 1024
-# openssl req -new -key server.key -out server.csr -subj "/C=US/CN=127.0.0.1"
+# openssl req -new -key server.key -out server.csr -subj "/C=US/CN=localhost"
 # openssl x509 -req -days 7300 -in server.csr -out server.crt -CA ca.crt \
 #   -CAkey ca.key -CAcreateserial
 #
@@ -36,7 +36,7 @@ utf8::upgrade $upgraded;
 my ($server, $client);
 my $promise = Mojo::Promise->new->ioloop($loop);
 my $id      = $loop->server(
-  {address => '127.0.0.1', tls => 1} => sub {
+  {address => 'localhost', tls => 1} => sub {
     my ($loop, $stream) = @_;
     $stream->write($upgraded => sub { shift->write('321') });
     $stream->on(close => sub { $promise->resolve });
@@ -46,7 +46,7 @@ my $id      = $loop->server(
 my $port     = $loop->acceptor($id)->port;
 my $promise2 = Mojo::Promise->new->ioloop($loop);
 $loop->client(
-  {port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
+  {address => 'localhost', port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
     my ($loop, $err, $stream) = @_;
     $stream->write('tset' => sub { shift->write('123') });
     $stream->on(close => sub { $promise2->resolve });
@@ -64,7 +64,7 @@ my ($remove, $running, $timeout, $server_err, $server_close, $client_close);
 Mojo::IOLoop->remove(Mojo::IOLoop->recurring(0 => sub { $remove++ }));
 $promise = Mojo::Promise->new;
 $id      = Mojo::IOLoop->server(
-  address  => '127.0.0.1',
+  address  => 'localhost',
   tls      => 1,
   tls_ca   => 't/mojo/certs/ca.crt',
   tls_cert => 't/mojo/certs/server.crt',
@@ -88,6 +88,7 @@ $id      = Mojo::IOLoop->server(
 $port     = Mojo::IOLoop->acceptor($id)->port;
 $promise2 = Mojo::Promise->new;
 Mojo::IOLoop->client(
+  address     => 'localhost',
   port        => $port,
   tls         => 1,
   tls_cert    => 't/mojo/certs/client.crt',
@@ -118,6 +119,7 @@ ok !$server_err, 'no error';
 # Invalid client certificate
 my $client_err;
 Mojo::IOLoop->client(
+  address  => 'localhost',
   port     => $port,
   tls      => 1,
   tls_cert => 't/mojo/certs/bad.crt',
@@ -133,7 +135,7 @@ ok $client_err, 'has error';
 # Missing client certificate
 ($server_err, $client_err) = ();
 Mojo::IOLoop->client(
-  {port => $port, tls => 1} => sub {
+  {address => 'localhost', port => $port, tls => 1} => sub {
     shift->stop;
     $client_err = shift;
   }
@@ -146,7 +148,7 @@ ok $client_err,  'has error';
 $loop = Mojo::IOLoop->new;
 ($server_err, $client_err) = ();
 $id = $loop->server(
-  address  => '127.0.0.1',
+  address  => 'localhost',
   tls      => 1,
   tls_ca   => 'no cert',
   tls_cert => 't/mojo/certs/server.crt',
@@ -155,6 +157,7 @@ $id = $loop->server(
 );
 $port = $loop->acceptor($id)->port;
 $loop->client(
+  address  => 'localhost',
   port     => $port,
   tls      => 1,
   tls_cert => 't/mojo/certs/client.crt',
@@ -173,7 +176,7 @@ ok $client_err,  'has error';
 ($client, $client_close) = ();
 $promise = Mojo::Promise->new;
 $id      = Mojo::IOLoop->server(
-  address  => '127.0.0.1',
+  address  => 'localhost',
   tls      => 1,
   tls_ca   => 't/mojo/certs/ca.crt',
   tls_cert => 't/mojo/certs/server.crt',
@@ -195,6 +198,7 @@ $id      = Mojo::IOLoop->server(
 $port     = Mojo::IOLoop->acceptor($id)->port;
 $promise2 = Mojo::Promise->new;
 Mojo::IOLoop->client(
+  address  => 'localhost',
   port     => $port,
   tls      => 1,
   tls_ca   => 't/mojo/certs/ca.crt',
@@ -227,17 +231,18 @@ ok !$server_err, 'no error';
 $loop = Mojo::IOLoop->new;
 ($server_err, $client_err) = ();
 $id = $loop->server(
-  address  => '127.0.0.1',
+  address  => 'localhost',
   tls      => 1,
   tls_cert => 't/mojo/certs/bad.crt',
   tls_key  => 't/mojo/certs/bad.key',
   sub { $server_err = 'accepted' }
 );
 $port = $loop->acceptor($id)->port;
 $loop->client(
-  port   => $port,
-  tls    => 1,
-  tls_ca => 't/mojo/certs/ca.crt',
+  address => 'localhost',
+  port    => $port,
+  tls     => 1,
+  tls_ca  => 't/mojo/certs/ca.crt',
   sub {
     shift->stop;
     $client_err = shift;
@@ -251,15 +256,15 @@ ok $client_err,  'has error';
 $loop = Mojo::IOLoop->new;
 ($server_err, $client_err) = ();
 $id = $loop->server(
-  address  => '127.0.0.1',
+  address  => 'localhost',
   tls      => 1,
   tls_cert => 't/mojo/certs/bad.crt',
   tls_key  => 't/mojo/certs/bad.key',
   sub { $server_err = 'accepted' }
 );
 $port = $loop->acceptor($id)->port;
 $loop->client(
-  address => '127.0.0.1',
+  address => 'localhost',
   port    => $port,
   tls     => 1,
   tls_ca  => 't/mojo/certs/ca.crt',
@@ -276,17 +281,18 @@ ok $client_err,  'has error';
 $loop = Mojo::IOLoop->new;
 ($server_err, $client_err) = ();
 $id = $loop->server(
-  address  => '127.0.0.1',
+  address  => 'localhost',
   tls      => 1,
   tls_cert => 't/mojo/certs/bad.crt',
   tls_key  => 't/mojo/certs/bad.key',
   sub { $server_err = 'accepted' }
 );
 $port = $loop->acceptor($id)->port;
 $loop->client(
-  port   => $port,
-  tls    => 1,
-  tls_ca => 'no cert',
+  address => 'localhost',
+  port    => $port,
+  tls     => 1,
+  tls_ca  => 'no cert',
   sub {
     shift->stop;
     $client_err = shift;
@@ -301,7 +307,7 @@ $loop = Mojo::IOLoop->new;
 my ($cipher, $version);
 ($server, $client, $client_err) = ();
 $id = $loop->server(
-  address     => '127.0.0.1',
+  address     => 'localhost',
   tls         => 1,
   tls_ca      => 't/mojo/certs/ca.crt',
   tls_cert    => 't/mojo/certs/server.crt',
@@ -315,6 +321,7 @@ $id = $loop->server(
 );
 $port = $loop->acceptor($id)->port;
 $loop->client(
+  address     => 'localhost',
   port        => $port,
   tls         => 1,
   tls_cert    => 't/mojo/certs/bad.crt',
@@ -340,7 +347,7 @@ is $cipher, $expect, "$expect has been negotiatied";
 # Ignore missing client certificate
 ($server, $client, $client_err) = ();
 $id = Mojo::IOLoop->server(
-  address     => '127.0.0.1',
+  address     => 'localhost',
   tls         => 1,
   tls_ca      => 't/mojo/certs/ca.crt',
   tls_cert    => 't/mojo/certs/server.crt',
@@ -350,7 +357,7 @@ $id = Mojo::IOLoop->server(
 );
 $port = Mojo::IOLoop->acceptor($id)->port;
 Mojo::IOLoop->client(
-  {port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
+  {address => 'localhost', port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
     shift->stop;
     $client     = 'connected';
     $client_err = shift;
@@ -365,7 +372,7 @@ subtest 'ALPN' => sub {
   plan skip_all => 'ALPN support required!' unless IO::Socket::SSL->can_alpn;
   my ($server_proto, $client_proto);
   $id = Mojo::IOLoop->server(
-    address     => '127.0.0.1',
+    address     => 'localhost',
     tls         => 1,
     tls_options => {SSL_alpn_protocols => ['foo', 'bar', 'baz']},
     sub {
@@ -376,6 +383,7 @@ subtest 'ALPN' => sub {
   );
   $port = Mojo::IOLoop->acceptor($id)->port;
   Mojo::IOLoop->client(
+    address     => 'localhost',
     port        => $port,
     tls         => 1,
     tls_options => {SSL_alpn_protocols => ['baz', 'bar'], SSL_verify_mode => 0x00},

t/mojo/user_agent_tls.t

@@ -21,28 +21,28 @@ get '/' => {text => 'works!'};
 subtest 'Web server with valid certificates' => sub {
   my $daemon = Mojo::Server::Daemon->new(app => app, ioloop => Mojo::IOLoop->singleton, silent => 1);
   my $listen
-    = 'https://127.0.0.1'
+    = 'https://localhost'
     . '?cert=t/mojo/certs/server.crt'
     . '&key=t/mojo/certs/server.key'
     . '&ca=t/mojo/certs/ca.crt&verify=0x03';
   my $port = $daemon->listen([$listen])->start->ports->[0];
 
   subtest 'No certificate' => sub {
     my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
-    my $tx = $ua->get("https://127.0.0.1:$port");
+    my $tx = $ua->get("https://localhost:$port");
     ok $tx->error, 'has error';
-    $tx = $ua->get("https://127.0.0.1:$port");
+    $tx = $ua->get("https://localhost:$port");
     ok $tx->error, 'has error';
-    $tx = $ua->ca('t/mojo/certs/ca.crt')->get("https://127.0.0.1:$port");
+    $tx = $ua->ca('t/mojo/certs/ca.crt')->get("https://localhost:$port");
     ok $tx->error, 'has error';
-    $tx = $ua->get("https://127.0.0.1:$port");
+    $tx = $ua->get("https://localhost:$port");
     ok $tx->error, 'has error';
   };
 
   subtest 'Valid certificates' => sub {
     my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
     $ua->ca('t/mojo/certs/ca.crt')->cert('t/mojo/certs/client.crt')->key('t/mojo/certs/client.key');
-    my $tx = $ua->get("https://127.0.0.1:$port");
+    my $tx = $ua->get("https://localhost:$port");
     ok !$tx->error, 'no error';
     is $tx->res->code, 200,      'right status';
     is $tx->res->body, 'works!', 'right content';
@@ -54,7 +54,7 @@ subtest 'Web server with valid certificates' => sub {
     local $ENV{MOJO_CERT_FILE} = 't/mojo/certs/client.crt';
     local $ENV{MOJO_KEY_FILE}  = 't/mojo/certs/client.key';
     local $ENV{MOJO_INSECURE}  = 0;
-    my $tx = $ua->get("https://127.0.0.1:$port");
+    my $tx = $ua->get("https://localhost:$port");
     is $ua->ca,       't/mojo/certs/ca.crt',     'right path';
     is $ua->cert,     't/mojo/certs/client.crt', 'right path';
     is $ua->key,      't/mojo/certs/client.key', 'right path';
@@ -67,7 +67,7 @@ subtest 'Web server with valid certificates' => sub {
   subtest 'Invalid certificate' => sub {
     my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
     $ua->cert('t/mojo/certs/bad.crt')->key('t/mojo/certs/bad.key');
-    my $tx = $ua->get("https://127.0.0.1:$port");
+    my $tx = $ua->get("https://localhost:$port");
     ok $tx->error, 'has error';
   };
 };
@@ -76,7 +76,7 @@ subtest 'Web server with valid certificates' => sub {
 subtest 'Web server with valid certificates and no verification' => sub {
   my $daemon = Mojo::Server::Daemon->new(app => app, ioloop => Mojo::IOLoop->singleton, silent => 1);
   my $listen
-    = 'https://127.0.0.1'
+    = 'https://localhost'
     . '?cert=t/mojo/certs/server.crt'
     . '&key=t/mojo/certs/server.key'
     . '&ca=t/mojo/certs/ca.crt'
@@ -88,36 +88,36 @@ subtest 'Web server with valid certificates and no verification' => sub {
   # Invalid certificate
   my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
   $ua->cert('t/mojo/certs/bad.crt')->key('t/mojo/certs/bad.key');
-  my $tx = $ua->get("https://127.0.0.1:$port");
+  my $tx = $ua->get("https://localhost:$port");
   ok $tx->error, 'has error';
   $ua = Mojo::UserAgent->new(ioloop => $ua->ioloop, insecure => 1);
   $ua->cert('t/mojo/certs/bad.crt')->key('t/mojo/certs/bad.key');
-  $tx = $ua->get("https://127.0.0.1:$port");
+  $tx = $ua->get("https://localhost:$port");
   ok !$tx->error, 'no error';
   is $ua->ioloop->stream($tx->connection)->handle->get_cipher,     'AES256-SHA', 'AES256-SHA has been negotiatied';
   is $ua->ioloop->stream($tx->connection)->handle->get_sslversion, 'TLSv1',      'TLSv1 has been negotiatied';
 };
 
 subtest 'Client side TLS options' => sub {
   my $daemon = Mojo::Server::Daemon->new(app => app, ioloop => Mojo::IOLoop->singleton, silent => 1);
-  my $listen = 'https://127.0.0.1/?version=TLSv1_1';
+  my $listen = 'https://localhost/?version=TLSv1_1';
   my $port   = $daemon->listen([$listen])->start->ports->[0];
 
   subtest '(Not) setting verification mode' => sub {
     my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
-    my $tx = $ua->get("https://127.0.0.1:$port");
+    my $tx = $ua->get("https://localhost:$port");
     like $tx->error->{message}, qr/certificate verify failed/, 'has error';
 
     $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
     $ua->tls_options({SSL_verify_mode => 0x00});
-    $tx = $ua->get("https://127.0.0.1:$port");
+    $tx = $ua->get("https://localhost:$port");
     ok !$tx->error, 'no error';
   };
 
   subtest 'Setting acceptable protocol version' => sub {
     my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
     $ua->tls_options({SSL_version => 'TLSv1_2'});
-    my $tx = $ua->get("https://127.0.0.1:$port");
+    my $tx = $ua->get("https://localhost:$port");
     like $tx->error->{message}, qr/wrong ssl version/, 'has error';
   };
 };