From f5be692d3393573091a0079a93a9c96bcc9d512b Mon Sep 17 00:00:00 2001
From: Johannes Schmidt <johannes.schmidt@icinga.com>
Date: Fri, 17 Apr 2026 10:08:06 +0200
Subject: [PATCH 1/3] Correctly create AsioTlsStream with host argument

This was omitted by accident from the original PR, despite
being done in the original perfdata writer connection code.

Without setting this parameter, host name verification will be
disabled, which poses a security risk.
---
 lib/perfdata/perfdatawriterconnection.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/perfdata/perfdatawriterconnection.cpp b/lib/perfdata/perfdatawriterconnection.cpp
index f8807c9ce03..46000c28f47 100644
--- a/lib/perfdata/perfdatawriterconnection.cpp
+++ b/lib/perfdata/perfdatawriterconnection.cpp
@@ -99,7 +99,7 @@ AsioTlsOrTcpStream PerfdataWriterConnection::MakeStream() const
 {
 	AsioTlsOrTcpStream ret;
 	if (m_SslContext) {
-		ret = Shared<AsioTlsStream>::Make(IoEngine::Get().GetIoContext(), *m_SslContext);
+		ret = Shared<AsioTlsStream>::Make(IoEngine::Get().GetIoContext(), *m_SslContext, m_Host);
 	} else {
 		ret = Shared<AsioTcpStream>::Make(IoEngine::Get().GetIoContext());
 	}

From aab0b64f3aa0559f6d41b76536b70ef51da72f1a Mon Sep 17 00:00:00 2001
From: Johannes Schmidt <johannes.schmidt@icinga.com>
Date: Fri, 17 Apr 2026 10:11:32 +0200
Subject: [PATCH 2/3] Generate all unit-test certificates with CN=localhost

---
 test/perfdata-perfdatatargetfixture.hpp    |  2 +-
 test/perfdata-perfdatawriterconnection.cpp |  2 +-
 test/remote-certificate-fixture.cpp        | 12 ++++++------
 test/remote-certificate-fixture.hpp        |  2 +-
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/test/perfdata-perfdatatargetfixture.hpp b/test/perfdata-perfdatatargetfixture.hpp
index 871610ff585..ce6c05a4f65 100644
--- a/test/perfdata-perfdatatargetfixture.hpp
+++ b/test/perfdata-perfdatatargetfixture.hpp
@@ -82,7 +82,7 @@ class PerfdataWriterTargetFixture
 	void ResetStream()
 	{
 		if (std::holds_alternative<Shared<AsioTlsStream>::Ptr>(m_Stream)) {
-			m_Stream = Shared<AsioTlsStream>::Make(IoEngine::Get().GetIoContext(), *m_SslContext);
+			m_Stream = Shared<AsioTlsStream>::Make(IoEngine::Get().GetIoContext(), *m_SslContext, "localhost");
 		} else {
 			m_Stream = Shared<AsioTcpStream>::Make(IoEngine::Get().GetIoContext());
 		}
diff --git a/test/perfdata-perfdatawriterconnection.cpp b/test/perfdata-perfdatawriterconnection.cpp
index 21a9f7aed5e..3467975f0e9 100644
--- a/test/perfdata-perfdatawriterconnection.cpp
+++ b/test/perfdata-perfdatawriterconnection.cpp
@@ -17,7 +17,7 @@ class TlsPerfdataWriterFixture : public CertificateFixture, public PerfdataWrite
 	{
 		m_PdwSslContext = MakeContext("client");
 
-		m_Conn = new PerfdataWriterConnection{"Test", "test", "127.0.0.1", std::to_string(GetPort()), m_PdwSslContext};
+		m_Conn = new PerfdataWriterConnection{"Test", "test", "localhost", std::to_string(GetPort()), m_PdwSslContext};
 	}
 
 	auto& GetConnection() { return *m_Conn; }
diff --git a/test/remote-certificate-fixture.cpp b/test/remote-certificate-fixture.cpp
index 0d5a60d99e4..7e02edb85d0 100644
--- a/test/remote-certificate-fixture.cpp
+++ b/test/remote-certificate-fixture.cpp
@@ -95,19 +95,19 @@ void RequiresCertificate::AddCaFixture(const String& caFixtureName)
 	m_CaFixtures.emplace_back(caFixtureName);
 }
 
-void RequiresCertificate::AddCertFixture(const String& cn, const String& caFixture, const String& certFixture)
+void RequiresCertificate::AddCertFixture(const String& name, const String& caFixture, const String& certFixture)
 {
 	auto& mts = boost::unit_test::framework::master_test_suite();
 	boost::unit_test::decorator::base_ptr certLabel{new boost::unit_test::label{"cert"}};
 
 	auto* setup = boost::unit_test::make_test_case(
-		[cn]() {
+		[name]() {
 			CertificateFixture certFixture;
 			auto persistentCertsPath = CertificateFixture::m_PersistentCertsDir / "certs";
-			auto keyFile = persistentCertsPath / (cn.GetData() + ".key");
-			auto csrFile = persistentCertsPath / (cn.GetData() + ".csr");
-			auto crtFile = persistentCertsPath / (cn.GetData() + ".crt");
-			PkiUtility::NewCert(cn, keyFile.string(), csrFile.string(), "");
+			auto keyFile = persistentCertsPath / (name.GetData() + ".key");
+			auto csrFile = persistentCertsPath / (name.GetData() + ".csr");
+			auto crtFile = persistentCertsPath / (name.GetData() + ".crt");
+			PkiUtility::NewCert("localhost", keyFile.string(), csrFile.string(), "");
 			PkiUtility::SignCsr(csrFile.string(), crtFile.string());
 		},
 		certFixture.GetData() + "_setup",
diff --git a/test/remote-certificate-fixture.hpp b/test/remote-certificate-fixture.hpp
index f09a9b5c7c6..4f854c899f7 100644
--- a/test/remote-certificate-fixture.hpp
+++ b/test/remote-certificate-fixture.hpp
@@ -95,7 +95,7 @@ class RequiresCertificate : public CTestPropertiesBase
 	static inline std::vector<String> m_CaFixtures;
 
 	static void AddCaFixture(const String& caFixtureName);
-	static void AddCertFixture(const String& cn, const String& caFixture, const String& certFixture);
+	static void AddCertFixture(const String& name, const String& caFixture, const String& certFixture);
 };
 
 } // namespace icinga

From 7ee33866220b5fafaed81c433f91fe8c9882df3c Mon Sep 17 00:00:00 2001
From: Johannes Schmidt <johannes.schmidt@icinga.com>
Date: Thu, 2 Apr 2026 13:32:43 +0200
Subject: [PATCH 3/3] Fix PerfdataWriterConnection test-cases on parallel build

---
 test/perfdata-perfdatatargetfixture.hpp    | 12 ++++++++++--
 test/perfdata-perfdatawriterconnection.cpp |  4 +---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/test/perfdata-perfdatatargetfixture.hpp b/test/perfdata-perfdatatargetfixture.hpp
index ce6c05a4f65..bac1c504de9 100644
--- a/test/perfdata-perfdatatargetfixture.hpp
+++ b/test/perfdata-perfdatatargetfixture.hpp
@@ -39,16 +39,24 @@ class PerfdataWriterTargetFixture
 	explicit PerfdataWriterTargetFixture(AsioTlsOrTcpStream stream)
 		: m_Stream(std::move(stream)),
 		  m_Acceptor(
-			  IoEngine::Get().GetIoContext(),
-			  boost::asio::ip::tcp::endpoint{boost::asio::ip::address_v4::loopback(), 0}
+			  IoEngine::Get().GetIoContext()
 		  )
 	{
+		boost::asio::ip::tcp::endpoint ep{boost::asio::ip::address_v4::loopback(), 0};
+		m_Acceptor.open(ep.protocol());
+		m_Acceptor.bind(ep);
 	}
 
 	unsigned short GetPort() { return m_Acceptor.local_endpoint().port(); }
 
+	void Listen()
+	{
+		m_Acceptor.listen();
+	}
+
 	void Accept()
 	{
+		Listen();
 		BOOST_REQUIRE_NO_THROW(
 			std::visit([&](auto& stream) { return m_Acceptor.accept(stream->lowest_layer()); }, m_Stream)
 		);
diff --git a/test/perfdata-perfdatawriterconnection.cpp b/test/perfdata-perfdatawriterconnection.cpp
index 3467975f0e9..16ed299a947 100644
--- a/test/perfdata-perfdatawriterconnection.cpp
+++ b/test/perfdata-perfdatawriterconnection.cpp
@@ -130,10 +130,9 @@ BOOST_AUTO_TEST_CASE(finish_during_timeout)
  */
 BOOST_AUTO_TEST_CASE(stuck_in_handshake)
 {
-	TestThread mockTargetThread{[&]() { Accept(); }};
-
 	std::promise<void> p;
 	TestThread timeoutThread{[&]() {
+		Accept();
 		auto f = p.get_future();
 		GetConnection().CancelAfterTimeout(f, 50ms);
 		BOOST_REQUIRE(f.wait_for(0ms) == std::future_status::timeout);
@@ -144,7 +143,6 @@ BOOST_AUTO_TEST_CASE(stuck_in_handshake)
 	);
 
 	REQUIRE_JOINS_WITHIN(timeoutThread, 1s);
-	REQUIRE_JOINS_WITHIN(mockTargetThread, 1s);
 }
 
 /* When the disconnect timeout runs out while sending something to a slow or blocking server, we