How does OkHttp handle non-matching domains with cert pinning?

Question

Let's say I pin a cert for a specific domain:

CertificatePinner certPinner = new CertificatePinner.Builder()
    .add("*.domain1.com", CertificatePinner.pin(...))
    .build()
                
OkHttpClient client = new OkHttpClient.Builder()
    .certificatePinner(certPinner)
    .build

How does OkHttp handle requests to other domains (e.g. api.domain2.com)?

• "No matching cert, no bueno --> SecurityException"

• "No matching cert, no problemo ++ --> completes request"

++ provided domain2's cert is still signed by C.A. listed in OS-level list of trusted authorities.

Answer 1

• "No matching cert, no problemo ++ --> completes request"

Certificate pinning adds a constraint for matching hosts only.