fix(ext/node): normalize trailing dot in TLS servername (#32166)

Fixes #30170

Node.js strips trailing dots from FQDN server names before TLS
certificate verification, but Deno was passing the servername with the
trailing dot directly to rustls. This caused certificate validation
failures when connecting with a trailing-dot servername like
`example.local.` to a server whose certificate is valid for
`example.local`.

The error message was especially confusing because it said the
certificate wasn't valid for `example.local.` when it was only valid for
`example.local.` (same string):
```
certificate not valid for name "example.local."; certificate is only valid for DnsName("example.local.")
```

The fix strips the trailing dot from the hostname in the TLSSocket
constructor before it's passed to the TLS layer. This matches Node.js
behavior - DNS fully-qualified domain names end with a dot but TLS SNI
extensions and certificate matching should work without it.

Added a test that connects using `localhost.` as servername to verify
the trailing dot is properly normalized.

Author: veeceey

ext/node/polyfills/_tls_wrap.js

@@ -86,8 +86,14 @@ export class TLSSocket extends net.Socket {
   constructor(socket, opts = kEmptyObject) {
     const tlsOptions = { ...opts };
 
-    const hostname = opts.servername ?? opts.host ?? socket?._host ??
+    let hostname = opts.servername ?? opts.host ?? socket?._host ??
       "localhost";
+    // Strip trailing dot from hostname for SNI and certificate verification,
+    // matching Node.js behavior. DNS FQDN trailing dots are valid but must
+    // be normalized for TLS server name matching.
+    if (hostname && hostname.endsWith(".")) {
+      hostname = hostname.slice(0, -1);
+    }
     tlsOptions.hostname = hostname;
 
     const cert = tlsOptions?.secureContext?.cert;

tests/unit_node/tls_test.ts

@@ -479,3 +479,43 @@ BnRlc3RDQTCB
   // deno-lint-ignore no-explicit-any
   (tls as any).setDefaultCACertificates([testCert]);
 });
+
+// https://github.com/denoland/deno/issues/30170
+Deno.test("tls.connect strips trailing dot from servername", async () => {
+  const listener = Deno.listenTls({
+    port: 0,
+    key,
+    cert,
+  });
+
+  const conn = tls.connect({
+    host: "localhost",
+    port: listener.addr.port,
+    // Use trailing dot - should be normalized to "localhost"
+    servername: "localhost.",
+    secureContext: {
+      ca: rootCaCert,
+      // deno-lint-ignore no-explicit-any
+    } as any,
+  });
+
+  const serverConn = await listener.accept();
+
+  const { promise: connected, resolve: resolveConnected } = Promise
+    .withResolvers<void>();
+  conn.on("secureConnect", () => {
+    assert(conn.authorized, "Connection should be authorized");
+    resolveConnected();
+  });
+
+  conn.on("error", (err: Error) => {
+    // Should not get a certificate error with trailing dot
+    throw err;
+  });
+
+  await connected;
+  conn.destroy();
+  serverConn.close();
+  listener.close();
+  await new Promise((resolve) => conn.on("close", resolve));
+});