Bug description
We have gke cluster with custom istio installation 1.2.6.
With gateway configuration like this

spec:
  servers:
  - hosts:
    - cfg.mysiteaddress.ru
    port:
      name: https-mysite
      number: 443
      protocol: HTTPS
    tls:
      credentialName: cert.mysiteaddress
      maxProtocolVersion: TLSV1_3
      minProtocolVersion: TLSV1_1
      mode: SIMPLE
  - hosts:
    - "*"
    port:
      name: https-all
      number: 443
      protocol: HTTPS
    tls:
      credentialName: wildcard.cert
      mode: SIMPLE

and we have external services that has connections to our service cfg.mysiteaddress.ru. There are were working fine.
But then we update istio to 1.3.4 the external services begin to fail connections: Error: self signed certificate
With debuging we saw wrong certificate wildcard.cert from "*" host but gw config haven't been changed.
Also one strange thing - a browsers connecting to cfg.mysiteaddress.ru well.

So we found this problem:
curl https://cfg.mysiteaddress.ru -Iv --tlsv1.2 - works fine
curl https://cfg.mysiteaddress.ru -Iv --tlsv1.3 - faild SSL: no alternative certificate subject name matches target host name, because get default cert

I made tcpdump and compare packets - both has correct sni cfg.mysiteaddress.ru

Expected behavior
Expected successed response

Steps to reproduce the bug
set gw config from this message
curl https://cfg.mysiteaddress.ru -Iv --tlsv1.3
but get cert from default host

Version (include the output of istioctl version --remote and kubectl version)
1.2.6
1.3.4

How was Istio installed?
manually with our custom specs

Environment where bug was observed (cloud vendor, OS, etc)
gke