Remembering that *.domain cannot span dots in certificates, and the consequence for SNI if you dry to use FQDN as a dot-separated space beyond the "flat" model.
The convergence of certificate issuance, domain names, domain matching logic, configs, port-binding, information leakage. Its a nightmare. 5 tuple be damned: the higher protocol layers are now deciding how to de-mux your service.
The convergence of certificate issuance, domain names, domain matching logic, configs, port-binding, information leakage. Its a nightmare. 5 tuple be damned: the higher protocol layers are now deciding how to de-mux your service.