The culprit is that our client would not support the TLS ‘SERVER NAME’
extension, unlike the wget and gnutls-cli (this is enabled simply by
calling ‘gnutls_server_name_set’.)  Here’s a proof-of-concept
workaround: