tls/dial.go    |  1 +
 tls/tolower.go | 28 ++++++++++++++++++++++++++++
 version.go     |  2 +-

diff --git a/tls/dial.go b/tls/dial.go
index f451b21a00f096000297556865b3da317673cca3d30b8cbded3e1749f49843e4..ffba9effc34c761b0b798b15766c430c0452e81b720cb7056786437443cc495e 100644
--- a/tls/dial.go
+++ b/tls/dial.go
@@ -33,6 +33,7 @@ var sessionCache = tls.NewLRUClientSessionCache(1024)
 
 func DialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
 	host, _, _ := SplitHostPort(addr)
+	host = toLowerCaseASCII(host)
 	ccg := ClientCertificateGetter{host: host}
 	cfg := tls.Config{
 		VerifyPeerCertificate: func(
diff --git a/tls/tolower.go b/tls/tolower.go
new file mode 100644
index 0000000000000000000000000000000000000000..ecd3c2d6769b28e748ae6804884ad56859b43894a9ec206beeb313fb0acb82d9
--- /dev/null
+++ b/tls/tolower.go
@@ -0,0 +1,28 @@
+package tofuproxy
+
+import "unicode/utf8"
+
+// Copy-pasted from crypto/x509, as it is not public.
+func toLowerCaseASCII(in string) string {
+	isAlreadyLowerCase := true
+	for _, c := range in {
+		if c == utf8.RuneError {
+			isAlreadyLowerCase = false
+			break
+		}
+		if 'A' <= c && c <= 'Z' {
+			isAlreadyLowerCase = false
+			break
+		}
+	}
+	if isAlreadyLowerCase {
+		return in
+	}
+	out := []byte(in)
+	for i, c := range out {
+		if 'A' <= c && c <= 'Z' {
+			out[i] += 'a' - 'A'
+		}
+	}
+	return string(out)
+}
diff --git a/version.go b/version.go
index b612231b30c6ed6b225af70bd9eb4404fca5c11e602967eee242607b397f894c..8d5542859b0bead7e77166bd3eafa6b8bce25092de19e9b59008339360a75e4a 100644
--- a/version.go
+++ b/version.go
@@ -1,3 +1,3 @@
 package tofuproxy
 
-const Version = "0.3.0"
+const Version = "0.4.0"