fixes mbedtls 3.6.3 handshake with NULL server name

An explicit call to `mbedtls_ssl_set_hostname(NULL)` is now required if the hostname should not be verified in handshake. From the mbedtls changelog:

```
= Mbed TLS 3.6.3 branch released 2025-03-24

Default behavior changes
   * In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
     mbedtls_ssl_handshake() now fails with MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME if certificate-based authentication of the server is attempted.
     This is because authenticating a server without knowing what name
     to expect is usually insecure. To restore the old behavior, either
     call mbedtls_ssl_set_hostname() with NULL as the hostname, or
     enable the new compile-time option MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
```

1 files changed, 3 insertions, 5 deletions

diff --git a/src/supplemental/tls/mbedtls/mbedtls.c b/src/supplemental/tls/mbedtls/mbedtls.c
index 8250740f..57c0a7bf 100644
--- a/src/supplemental/tls/mbedtls/mbedtls.c
+++ b/src/supplemental/tls/mbedtls/mbedtls.c
@@ -290,9 +290,7 @@ conn_init(nng_tls_engine_conn *ec, void *tls, nng_tls_engine_config *cfg,
 		return (tls_mk_err(rv));
 	}
 
-	if (cfg->server_name != NULL) {
-		mbedtls_ssl_set_hostname(&ec->ctx, cfg->server_name);
-	}
+	mbedtls_ssl_set_hostname(&ec->ctx, cfg->server_name);
 
 	if (cfg->mode == NNG_TLS_MODE_SERVER) {
 		nng_str_sockaddr(sa, buf, sizeof(buf));
@@ -538,8 +536,8 @@ config_init(nng_tls_engine_config *cfg, enum nng_tls_mode mode)
 static int
 config_server_name(nng_tls_engine_config *cfg, const char *name)
 {
-	char *dup;
-	if ((dup = nni_strdup(name)) == NULL) {
+	char *dup = NULL;
+	if (name != NULL && ((dup = nni_strdup(name)) == NULL)) {
 		return (NNG_ENOMEM);
 	}
 	if (cfg->server_name != NULL) {