*  Fix: Use literal IP addresses directly rather than passing them to `DnsOverHttps`.
 *  Fix: Embed Proguard rules to prevent warnings from tools like DexGuard and R8. These warnings
    were triggered by OkHttp’s feature detection for TLS packages like `org.conscrypt`,
    `org.bouncycastle`, and `org.openjsse`.
 *  Upgrade: Explicitly depend on `kotlin-stdlib-jdk8`. This fixes a problem with dependency

      }

      fileToClose?.closeQuietly()
    }
  }

  companion object {
    // TODO(jwilson): what to do about timeouts? They could be different and unfortunately when any
    //     timeout is hit we like to tear down the whole stream.

    private const val SOURCE_UPSTREAM = 1
    private const val SOURCE_FILE = 2

    @JvmField val PREFIX_CLEAN = "OkHttp cache v1\n".encodeUtf8()

 * including dots after the first colon. It matches IPv4 addresses as strings containing only
 * decimal digits and dots. This pattern matches strings like "a:.23" and "54" that are neither IP
 * addresses nor hostnames; they will be verified as IP addresses (which is a more strict
 * verification).
 */

        if (openJSSE != null) {
          return openJSSE
        }
      }

      // An Oracle JDK 9 like OpenJDK, or JDK 8 251+.
      val jdk9 = Jdk9Platform.buildIfSupported()

      if (jdk9 != null) {
        return jdk9
      }

      // An Oracle JDK 8 like OpenJDK, pre 251.
      val jdkWithJettyBoot = Jdk8WithJettyBootPlatform.buildIfSupported()

      if (jdkWithJettyBoot != null) {

     *
     * Next is the response status line, followed by the number of HTTP response header lines,
     * followed by those lines.
     *
     * HTTPS responses also contain SSL session information. This begins with a blank line, and then
     * a line containing the cipher suite. Next is the length of the peer certificate chain. These
     * certificates are base64-encoded and appear each on their own line. The next line contains the

    /**
     * Add a header line without any validation. Only appropriate for headers from the remote peer
     * or cache.
     */
    internal fun addLenient(line: String) =
      apply {
        val index = line.indexOf(':', 1)
        when {
          index != -1 -> {
            addLenient(line.substring(0, index), line.substring(index + 1))
          }
          line[0] == ':' -> {

 * sets of related domain names. The following forms are permitted:
 *
 *  * **Full domain name**: you may pin an exact domain name like `www.publicobject.com`. It won't
 *    match additional prefixes (`us-west.www.publicobject.com`) or suffixes (`publicobject.com`).
 *
 *  * **Any number of subdomains**: Use two asterisks to like `**.publicobject.com` to match any
 *    number of prefixes (`us-west.www.publicobject.com`, `www.publicobject.com`) including no

    val handshake = makeRequest(client)

    assertThat(handshake.cipherSuite).isIn(*expectedModernTls12CipherSuites.toTypedArray())

    // Probably something like
    // TLS_AES_128_GCM_SHA256
    // TLS_AES_256_GCM_SHA384
    // TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    // TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    // TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

 *
 * Browsers and other HTTP clients need a set of trusted root certificates to authenticate their
 * peers. Sets of root certificates are managed by either the HTTP client (like Firefox), or the
 * host platform (like Android). In July 2018 Android had 134 trusted root certificates for its HTTP
 * clients to trust.
 *
 * For example, in order to establish a secure connection to `https://www.squareup.com/`,

   * by the application:
   *
   * * It may be transformed by the user's interceptors. For example, an application interceptor
   *   may add headers like `User-Agent`.
   * * It may be the request generated in response to an HTTP redirect or authentication
   *   challenge. In this case the request URL may be different than the initial request URL.
   *