diff --git a/config.go b/config.go
index a9b6b8d..d3327c1 100644
--- a/config.go
+++ b/config.go
@@ -14,7 +14,9 @@ type Config struct {
 	StreamLogger   *os.File // Used for debugging
 	Lang           string   // TODO: should default to 'en'
 	ConnectTimeout int      // Client timeout in seconds. Default to 15
-	TLSConfig      tls.Config
+	// tls.Config must not be modified after having been passed to NewClient. The
+	// Client connect method may override the tls.Config.ServerName if it was not set.
+	TLSConfig *tls.Config
 	// Insecure can be set to true to allow to open a session without TLS. If TLS
 	// is supported on the server, we will still try to use it.
 	Insecure      bool
diff --git a/session.go b/session.go
index 57d96a6..0a9ac75 100644
--- a/session.go
+++ b/session.go
@@ -117,8 +117,10 @@ func (s *Session) startTlsIfSupported(conn net.Conn, domain string, o Config) ne
 			return conn
 		}
 
-		o.TLSConfig.ServerName = domain
-		tlsConn := tls.Client(conn, &o.TLSConfig)
+		if o.TLSConfig.ServerName == "" {
+			o.TLSConfig.ServerName = domain
+		}
+		tlsConn := tls.Client(conn, o.TLSConfig)
 		// We convert existing connection to TLS
 		if s.err = tlsConn.Handshake(); s.err != nil {
 			return tlsConn