Fix: ensure SendServerName works correctly with OpenSSL

psiphon/serverApi.go

@@ -633,12 +633,12 @@ func makeBaseRequestUrl(tunnel *Tunnel, port, sessionId string) string {
 	requestUrl.WriteString(tunnel.serverEntry.Region)
 	requestUrl.WriteString("&server_entry_source=")
 	requestUrl.WriteString(tunnel.serverEntry.LocalSource)
-	requestUrl.WriteString("&server_entry_timestamp=")
 
 	// As with last_connected, this timestamp stat, which may be
 	// a precise handshake request server timestamp, is truncated
 	// to hour granularity to avoid introducing a reconstructable
 	// cross-session user trace into server logs.
+	requestUrl.WriteString("&server_entry_timestamp=")
 	requestUrl.WriteString(
 		TruncateTimestampToHour(tunnel.serverEntry.LocalTimestamp))
 

psiphon/tlsDialer.go

@@ -174,8 +174,13 @@ func CustomTLSDial(network, addr string, config *CustomTLSConfig) (net.Conn, err
 
 	if config.SendServerName && config.VerifyLegacyCertificate == nil {
 		// Set the ServerName and rely on the usual logic in
-		// tls.Conn.Handshake() to do its verification
-		tlsConfig.ServerName = hostname
+		// tls.Conn.Handshake() to do its verification.
+		// Explicitly exclude IPs:
+		// - "Literal IPv4 and IPv6 addresses are not permitted": https://tools.ietf.org/html/rfc6066#page-6.
+		// - OpenSSL does not appear to enforce this rule itself.
+		if net.ParseIP(hostname) == nil {
+			tlsConfig.ServerName = hostname
+		}
 	} else {
 		// No SNI.
 		// Disable verification in tls.Conn.Handshake().  We'll verify manually