val strings = cipherSuites.map { it.javaName }.toTypedArray()
        return cipherSuites(*strings)
      }

    fun cipherSuites(vararg cipherSuites: String) =
      apply {
        require(tls) { "no cipher suites for cleartext connections" }
        require(cipherSuites.isNotEmpty()) { "At least one cipher suite is required" }

      platform.newSslSocketFactory(platform.platformTrustManager()).defaultCipherSuites
    val cipherSuites =
      ConnectionSpec.RESTRICTED_TLS.effectiveCipherSuites(platformDefaultCipherSuites)

    if (cipherSuites.contains(TLS_CHACHA20_POLY1305_SHA256.javaName)) {
      assertThat(cipherSuites).containsExactly(
        TLS_AES_128_GCM_SHA256.javaName,
        TLS_AES_256_GCM_SHA384.javaName,

  }

  @Test
  fun tlsBuilder_explicitCiphers() {
    val tlsSpec =
      ConnectionSpec
        .Builder(true)
        .cipherSuites(CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
        .tlsVersions(TlsVersion.TLS_1_2)
        .supportsTlsExtensions(true)
        .build()
    assertThat(tlsSpec.cipherSuites!!.toList())
      .containsExactly(CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
    assertThat(tlsSpec.tlsVersions!!.toList())

		tlsConfig.ClientAuth = tls.RequestClientCert
	}

	if secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn; secureCiphers {
		tlsConfig.CipherSuites = crypto.TLSCiphers()
	} else {
		tlsConfig.CipherSuites = crypto.TLSCiphersBackwardCompatible()
	}
	tlsConfig.CurvePreferences = crypto.TLSCurveIDs()
	return tlsConfig
}

/////////// Types and functions for OpenID IAM testing

  @Test @Disabled
  fun connectionSpec() {
    val connectionSpec: ConnectionSpec = ConnectionSpec.RESTRICTED_TLS
    val tlsVersions: List<TlsVersion>? = connectionSpec.tlsVersions()
    val cipherSuites: List<CipherSuite>? = connectionSpec.cipherSuites()
    val supportsTlsExtensions: Boolean = connectionSpec.supportsTlsExtensions()
  }

  @Test @Disabled
  fun cookie() {
    val cookie: Cookie = Cookie.Builder().build()

    connectionSpec = ConnectionSpec.COMPATIBLE_TLS
    connectionSpec = ConnectionSpec.CLEARTEXT
    val tlsVersions: List<TlsVersion>? = connectionSpec.tlsVersions
    val cipherSuites: List<CipherSuite>? = connectionSpec.cipherSuites
    val supportsTlsExtensions: Boolean = connectionSpec.supportsTlsExtensions
    val compatible: Boolean =
      connectionSpec.isCompatible(

            return
          }

          // https://timothybasanov.com/2016/05/26/java-pre-master-secret.html
          // https://security.stackexchange.com/questions/35639/decrypting-tls-in-wireshark-when-using-dhe-rsa-ciphersuites
          // https://stackoverflow.com/questions/36240279/how-do-i-extract-the-pre-master-secret-using-an-openssl-based-client

          // TLSv1.2 Events
          // Produced ClientHello handshake message

   noCache, noStore, noTransform, onlyIfCached, sMaxAgeSeconds
 * **Challenge**: authParams, charset, realm, scheme
 * **CipherSuite**: javaName
 * **ConnectionSpec**: cipherSuites, supportsTlsExtensions, tlsVersions
 * **Cookie**: domain, expiresAt, hostOnly, httpOnly, name, path, persistent, value
 * **Dispatcher**: executorService
 * **FormBody**: size

```java
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
    .tlsVersions(TlsVersion.TLS_1_2)
    .cipherSuites(
          CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
          CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
          CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
    .build();

Go 1.23 changed the default TLS cipher suites used by clients and servers when
not explicitly configured, removing 3DES cipher suites. The default can be reverted
using the [`tls3des` setting](/pkg/crypto/tls/#Config.CipherSuites).

Go 1.23 changed the behavior of [`tls.X509KeyPair`](/pkg/crypto/tls#X509KeyPair)
and [`tls.LoadX509KeyPair`](/pkg/crypto/tls#LoadX509KeyPair) to populate the