}

  @Test
  fun tlsBuilder_explicitCiphers() {
    val tlsSpec =
      ConnectionSpec.Builder(true)
        .cipherSuites(CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
        .tlsVersions(TlsVersion.TLS_1_2)
        .supportsTlsExtensions(true)
        .build()
    assertThat(tlsSpec.cipherSuites!!.toList())
      .containsExactly(CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
    assertThat(tlsSpec.tlsVersions!!.toList())

      platform.newSslSocketFactory(platform.platformTrustManager()).defaultCipherSuites
    val cipherSuites =
      ConnectionSpec.RESTRICTED_TLS.effectiveCipherSuites(platformDefaultCipherSuites)

    if (cipherSuites.contains(TLS_CHACHA20_POLY1305_SHA256.javaName)) {
      assertThat(cipherSuites).containsExactly(
        TLS_AES_128_GCM_SHA256.javaName,
        TLS_AES_256_GCM_SHA384.javaName,

        val strings = cipherSuites.map { it.javaName }.toTypedArray()
        return cipherSuites(*strings)
      }

    fun cipherSuites(vararg cipherSuites: String) =
      apply {
        require(tls) { "no cipher suites for cleartext connections" }
        require(cipherSuites.isNotEmpty()) { "At least one cipher suite is required" }

		tlsConfig.ClientAuth = tls.RequestClientCert
	}

	if secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn; secureCiphers {
		tlsConfig.CipherSuites = fips.TLSCiphers()
	} else {
		tlsConfig.CipherSuites = fips.TLSCiphersBackwardCompatible()
	}
	tlsConfig.CurvePreferences = fips.TLSCurveIDs()
	return tlsConfig
}

/////////// Types and functions for OpenID IAM testing

   noCache, noStore, noTransform, onlyIfCached, sMaxAgeSeconds
 * **Challenge**: authParams, charset, realm, scheme
 * **CipherSuite**: javaName
 * **ConnectionSpec**: cipherSuites, supportsTlsExtensions, tlsVersions
 * **Cookie**: domain, expiresAt, hostOnly, httpOnly, name, path, persistent, value
 * **Dispatcher**: executorService
 * **FormBody**: size

  @Test @Disabled
  fun connectionSpec() {
    val connectionSpec: ConnectionSpec = ConnectionSpec.RESTRICTED_TLS
    val tlsVersions: List<TlsVersion>? = connectionSpec.tlsVersions()
    val cipherSuites: List<CipherSuite>? = connectionSpec.cipherSuites()
    val supportsTlsExtensions: Boolean = connectionSpec.supportsTlsExtensions()
  }

  @Test @Disabled
  fun cookie() {
    val cookie: Cookie = Cookie.Builder().build()

            return
          }

          // https://timothybasanov.com/2016/05/26/java-pre-master-secret.html
          // https://security.stackexchange.com/questions/35639/decrypting-tls-in-wireshark-when-using-dhe-rsa-ciphersuites
          // https://stackoverflow.com/questions/36240279/how-do-i-extract-the-pre-master-secret-using-an-openssl-based-client

          // TLSv1.2 Events
          // Produced ClientHello handshake message

    connectionSpec = ConnectionSpec.COMPATIBLE_TLS
    connectionSpec = ConnectionSpec.CLEARTEXT
    val tlsVersions: List<TlsVersion>? = connectionSpec.tlsVersions
    val cipherSuites: List<CipherSuite>? = connectionSpec.cipherSuites
    val supportsTlsExtensions: Boolean = connectionSpec.supportsTlsExtensions
    val compatible: Boolean =
      connectionSpec.isCompatible(

	crypto.S3.CreateMetadata(metadata, key.KeyID, key.Ciphertext, sealedKey)
	_, err = sio.Encrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20, CipherSuites: fips.DARECiphers()})
	if err != nil {
		return output, metabytes, err
	}
	metabytes, err = json.Marshal(metadata)
	if err != nil {
		return
	}
	return outbuf.Bytes(), metabytes, nil
}

	mac.Write([]byte(HMACContext))
	decryptionKey := mac.Sum(nil)

	plaintext := make([]byte, 0, 16)
	etag, err := sio.DecryptBuffer(plaintext, etag, sio.Config{
		Key:          decryptionKey,
		CipherSuites: fips.DARECiphers(),
	})
	if err != nil {
		return nil, err
	}
	return etag, nil
}

// Parse parses s as an S3 ETag, returning the result.
// The string can be an encrypted, singlepart