diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index a9516fc375d074..a058f349c54804 100644
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -940,8 +940,8 @@ func validHostname(host string, isPattern bool) bool {
 			if c == '-' && j != 0 {
 				continue
 			}
-			if c == '_' || c == ':' {
-				// Not valid characters in hostnames, but commonly
+			if c == '_' {
+				// Not a valid character in hostnames, but commonly
 				// found in deployments outside the WebPKI.
 				continue
 			}
diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
index 18271540c75131..650b2d2fc6e9ec 100644
--- a/src/crypto/x509/verify_test.go
+++ b/src/crypto/x509/verify_test.go
@@ -2004,7 +2004,7 @@ func TestValidHostname(t *testing.T) {
 		{host: "foo.*.example.com"},
 		{host: "exa_mple.com", validInput: true, validPattern: true},
 		{host: "foo,bar"},
-		{host: "project-dev:us-central1:main", validInput: true, validPattern: true},
+		{host: "project-dev:us-central1:main"},
 	}
 	for _, tt := range tests {
 		if got := validHostnamePattern(tt.host); got != tt.validPattern {
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index d69c8ba72ee474..7e001471dd4b67 100644
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -376,7 +376,15 @@ var matchHostnamesTests = []matchHostnamesTest{
 	{"*.com", "example.com", true},
 	{"*.com", "example.com.", true},
 	{"foo:bar", "foo:bar", true},
-	{"*.foo:bar", "xxx.foo:bar", true},
+	{"*.foo:bar", "xxx.foo:bar", false},
+	{"*.2.3.4", "1.2.3.4", false},
+	{"*.2.3.4", "[1.2.3.4]", false},
+	{"*:4860:4860::8888", "2001:4860:4860::8888", false},
+	{"*:4860:4860::8888", "[2001:4860:4860::8888]", false},
+	{"2001:4860:4860::8888", "2001:4860:4860::8888", false},
+	{"2001:4860:4860::8888", "[2001:4860:4860::8888]", false},
+	{"[2001:4860:4860::8888]", "2001:4860:4860::8888", false},
+	{"[2001:4860:4860::8888]", "[2001:4860:4860::8888]", false},
 }
 
 func TestMatchHostnames(t *testing.T) {