To my complete amazement, we did support domain specific server authentication, in v2.7 and broke it in 2.8.
Conscrypt, the subsystem to which OkHttp delegates for TLS authentication, attempts to call a method with the signature checkServerTrusted (X509Certificate, String, String), by reflection. In 2.7 we used Android's default trust manager, which did have such a method. In 2.8, to support our new Listener modes, we install our own custom trust manager and proxy most calls to the default. Our custom trust manager, however, does not have the method. Conscrypt falls back to using the default method checkServerTrusted (X509Certificate, String), which fails if the app has a network-security-config.
I believe that this fix is, simply, to add the missing signature and to proxy it to the default manager.