* SECURITY UPDATE: client certificate authentication bypass through mismatched SNI and HTTP Host header - debian/patches/CVE-2025-66614.patch: Add strictSNI connector attribute and implement SNI/protocol host name matching for NIO, NIO2, and APR connectors; prevent requests being served by mismatched SSLHostConfig when SNI host and HTTP Host header differ. - CVE-2025-66614 * Fix ObjectStreamClass cache clearing for JDK 11.0.16+ - debian/patches/fix-ObjectStreamClass-cache-clearing.patch: Use instanceof guard in WebappClassLoaderBase.clearCache() instead of direct cast to Map, fixing ClassCastException with newer JDK where ObjectStreamClass$Caches fields were changed from Map to ClassValue (JDK-8277072). * Regenerate expired test SSL certificates - debian/test_certs/: Regenerated ca.jks, localhost.jks, localhost-copy1.jks, user1.jks and PEM files. The user1 certificate expired on 2025-08-15, causing TestClientCert SSLHandshakeException failures. * Fix flaky test infrastructure on build farm - debian/patches/fix-test-hostname-resolution.patch: Skip TestStandardSessionIntegration, TestGroupChannelSenderConnections, TestGroupChannelStartStop, and TestGroupChannelOptionFlag when build node hostname cannot be resolved via DNS (UnknownHostException). - debian/patches/CVE-2025-66614.patch: Skip testSni on APR connector since it uses JSSE-style SSLHostConfig incompatible with OpenSSL backend.