Verify and document TLS SNI support

[linkvt]

We seem to support TLS Server Name Indication (SNI) in the interceptor which allows serving different TLS certificates from the single TLS endpoint.
IIRC, admins can configure multiple certificates the interceptor then uses for incoming TLS requests, SNI works automatically by default.

We should at least do the following:

• Review and test how the interceptor handles TLS requests with and without SNI
• Understand and document what happens when there is no certificate matching the SNI hostname - is there a default certificate? Do we fail?
• Check existing e2e tests and add missing test cases
• Verify and update the documentation

Out of scope:

• rewriting the whole TLS config handling, it is IMO a bit wonky and maybe a separate topic