It's served this public to realize that there's obviously some serious flaw somewhere in the software that means fixing this isn't easy, or it would have been done.
We've not seen a good enough argument that it's worth our time investigating. This seems like something that only affects something like 0.00001% of users. It may be simple, but it also means extensive testing to make sure any kind of fix doesn't also break other things. With how extensive Caddy's usecases are, we have to be careful with any change, especially low-level ones involving TLS and host matching. We could accidentally introduce somekind of request smuggling security bug for example if proper care isn't taken.
