To my complete amazement, we did support domain specific server authentication, in v2.7 and broke it in 2.8.
Conscrypt, the subsystem to which OkHttp delegates for TLS authentication, attempts to call a method with the signature checkServerTrusted (X509Certificate, String, String), by reflection. In 2.7 we used Android's default trust manager, which did have such a method. In 2.8, to support our new Listener modes, we install our own custom trust manager and proxy most calls to the default. Our custom trust manager, however, does not have the method. Conscrypt falls back to using the default method checkServerTrusted (X509Certificate, String), which fails if the app has a network-security-config.
I believe that this fix is, simply, to add the missing signature and to proxy it to the default manager.
Pasin suggests just installing the DefaultTrustManager whe useDefaultTrustManager(). While an elegant solution, that means that Conscrypt will try two method calls by introspection, before it falls back to the normal method, when using our CBLTrustManager. That's a fair amount of overhead.
Here's relevant documentation: