After upgrading from MariaDB 10.1.34 to 10.1.35, my Galera cluster members could no longer establish an SST with each other.
Downgrading all cluster members back to 10.1.34 got things working.
It seems that the behavior of the `mariabackup` SST method changed, and instead of passing the hostname of the peer to `socat`, it passes the IP address. That then seems to lead to socat exiting with an error on the donor:
2018/08/07 12:16:14 socat E certificate is valid but its commonName does not match hostname