TLS hostname verification fails when KEYLIME_IGNORE_HOSTNAME=false — certificate is valid for "server", not "localhost"

[msafarik]

Description:
When KEYLIME_IGNORE_HOSTNAME is set to false, the MCP client fails to connect to the Keylime registrar/verifier with the following error:
Get "https://localhost:8891/v2.4/agents": tls: failed to verify certificate: x509: certificate is valid for server, not localhost
Steps to Reproduce:
Set KEYLIME_IGNORE_HOSTNAME=false in .env
Start the MCP server and client
Ask the agent to call any tool (e.g., Get_all_agents)
Expected Behavior:
The client should validate that the certificate is authentic (signed by a trusted CA) but allow hostname mismatches, since Keylime certificates are generated with a CN/SAN server name instead of the actual hostname.
Actual Behavior:
Connection fails because Go's InsecureSkipVerify: false enables full hostname verification, and the certificate's SAN (server) doesn't match the connection target (localhost).
Root Cause:
The current TLS implementation uses InsecureSkipVerify as a binary switch:
true → skips all certificate verification (chain + hostname) — works but insecure
false → verifies everything, including hostname — fails because Keylime certs use generic CN
There is no middle ground to verify the certificate chain (authenticity) while allowing hostname mismatch.
Proposed Solution:
Replace InsecureSkipVerify with a custom VerifyConnection callback that:
Validates the certificate chain against the Keylime CA
Skips hostname verification when IgnoreHostname is true