Fix: incorrect fix in 0d79dfc

psiphon/opensslConn.go

@@ -97,9 +97,14 @@ func newOpenSSLConn(rawConn net.Conn, hostname string, config *CustomTLSConfig)
 	}
 
 	if config.SendServerName {
-		err = conn.SetTlsExtHostName(hostname)
-		if err != nil {
-			return nil, ContextError(err)
+		// Explicitly exclude IPs:
+		// - "Literal IPv4 and IPv6 addresses are not permitted": https://tools.ietf.org/html/rfc6066#page-6.
+		// - OpenSSL does not appear to enforce this rule itself.
+		if net.ParseIP(hostname) == nil {
+			err = conn.SetTlsExtHostName(hostname)
+			if err != nil {
+				return nil, ContextError(err)
+			}
 		}
 	}
 

psiphon/tlsDialer.go

@@ -175,9 +175,7 @@ func CustomTLSDial(network, addr string, config *CustomTLSConfig) (net.Conn, err
 	if config.SendServerName && config.VerifyLegacyCertificate == nil {
 		// Set the ServerName and rely on the usual logic in
 		// tls.Conn.Handshake() to do its verification.
-		// Explicitly exclude IPs:
-		// - "Literal IPv4 and IPv6 addresses are not permitted": https://tools.ietf.org/html/rfc6066#page-6.
-		// - OpenSSL does not appear to enforce this rule itself.
+		// Note: Go TLS will automatically omit this ServerName when it's an IP address
 		if net.ParseIP(hostname) == nil {
 			tlsConfig.ServerName = hostname
 		}