From 146f35483d2a00a9067fcf01259be6b0bb2b265a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= <i@sekai.icu>
Date: Thu, 16 Apr 2026 18:00:13 +0800
Subject: [PATCH] Reject IP literal server name with TLS spoof

---
 common/tls/client.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/tls/client.go b/common/tls/client.go
index 00020ee2c..35c628c11 100644
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -30,7 +30,7 @@ func parseTLSSpoofOptions(serverName string, options option.OutboundTLSOptions)
 	if !tlsspoof.PlatformSupported {
 		return "", 0, E.New("`spoof` is not supported on this platform")
 	}
-	if options.DisableSNI || serverName == "" {
+	if options.DisableSNI || serverName == "" || M.ParseAddr(serverName).IsValid() {
 		return "", 0, E.New("`spoof` requires TLS ClientHello with SNI")
 	}
 	method, err := tlsspoof.ParseMethod(options.SpoofMethod)