CBL-7468: Set kCFStreamSSLPeerName when using a network interface (#3456)

When a network interface is specified, CBLWebSocket resolves the hostname to an IP, creates the socket with that IP, and builds network streams from the socket. Because the original hostname isn’t set, the TLS ClientHello omits the Server Name Indication (SNI).

The fix is to set the hostname via kCFStreamSSLPeerName (the same way we did when client-side proxy is specified), ensuring SNI is included for certificate validation and compatibility with carriers/ISPs that block connections without it.

Author: pasin

Objective-C/Internal/Replicator/CBLWebSocket.mm

@@ -110,6 +110,7 @@ @implementation CBLWebSocket
     BOOL _closing;
 
     NSString* _networkInterface;
+    BOOL _useNetworkInterface;
     dispatch_queue_t _socketConnectQueue;
 
     CBLDNSService* _dnsService;
@@ -217,9 +218,10 @@ - (instancetype) initWithURL: (NSURL*)url
 
         _sockfd = -1;
         _networkInterface = [context networkInterfaceForWebsocket: self];
-        if (_networkInterface) {
+        if (_networkInterface.length > 0) {
             queueName = [NSString stringWithFormat: @"%@-SocketConnect", queueName];
             _socketConnectQueue = dispatch_queue_create(queueName.UTF8String, DISPATCH_QUEUE_SERIAL);
+            _useNetworkInterface = YES;
         }
     }
     return self;
@@ -353,7 +355,7 @@ - (void) _connect {
     _connectingToProxy = (_logic.proxyType == kCBLHTTPProxy);
     _connectedThruProxy = NO;
 
-    if (_networkInterface) {
+    if (_useNetworkInterface) {
         [self connectToHostWithName: _logic.directHost
                                port: _logic.directPort
                    networkInterface: _networkInterface];
@@ -625,8 +627,14 @@ - (void) configureTLS {
         _shouldCheckSSLCert = true;
 
         NSMutableDictionary* settings = [NSMutableDictionary dictionary];
-        if (_connectedThruProxy) {
-            [settings setObject: _logic.directHost forKey: (__bridge id)kCFStreamSSLPeerName];
+        
+        // Set the actual hostname used for certificate verification during the TLS handshake
+        // when connecting through a proxy or a specified network interface. The hostname will
+        // appear in the Server Name Indication (SNI) field of the TLS ClientHello message.
+        if (_connectedThruProxy || _useNetworkInterface) {
+            NSString* hostName = _logic.directHost;
+            CBLLogVerbose(WebSocket, @"%@ Setting TLS peer (SNI) hostname: %@", self, hostName);
+            [settings setObject: hostName forKey: (__bridge id)kCFStreamSSLPeerName];
         }
 
         // Disable the default certificate validation process using system's CA certs