.containsExactly(TlsVersion.TLS_1_2)
    assertThat(tlsSpec.supportsTlsExtensions).isTrue()
  }

  @Test
  fun tls_defaultCiphers_noFallbackIndicator() {
    platform.assumeNotConscrypt()
    platform.assumeNotBouncyCastle()
    val tlsSpec =
      ConnectionSpec.Builder(true)
        .tlsVersions(TlsVersion.TLS_1_2)
        .supportsTlsExtensions(false)
        .build()

  }

  @Test
  fun testDefaultHandshakeCipherSuiteOrderingTls12Restricted() {
    // We are avoiding making guarantees on ordering of secondary Platforms.
    platform.assumeNotConscrypt()
    platform.assumeNotBouncyCastle()

    val client = makeClient(ConnectionSpec.RESTRICTED_TLS, TlsVersion.TLS_1_2)

    val handshake = makeRequest(client)

   */
  @Test fun verifyNonAsciiSubjectAlt() {
    // Expecting actual:
    //  ["bar.com", "花子.co.jp"]
    // to contain exactly (and in same order):
    //  ["bar.com", "������.co.jp"]
    platform.assumeNotBouncyCastle()

    // CN=foo.com, subjectAlt=bar.com, subjectAlt=花子.co.jp
    // (hanako.co.jp in kanji)
    val session =
      session(
        """
        -----BEGIN CERTIFICATE-----

  private lateinit var clientCert: HeldCertificate

  @BeforeEach
  fun setUp(server: MockWebServer) {
    this.server = server
    platform.assumeNotOpenJSSE()
    platform.assumeNotBouncyCastle()
    serverRootCa =
      HeldCertificate.Builder()
        .serialNumber(1L)
        .certificateAuthority(1)
        .commonName("root")
        .addSubjectAlternativeName("root_ca.com")
        .build()

      assumeTrue(getPlatformSystemProperty() != LOOM_PROPERTY)
    }

    fun assumeNotCorretto() {
      assumeTrue(getPlatformSystemProperty() != CORRETTO_PROPERTY)
    }

    fun assumeNotBouncyCastle() {
      // Most failures are with MockWebServer
      // org.bouncycastle.tls.TlsFatalAlertReceived: handshake_failure(40)
      //        at org.bouncycastle.tls.TlsProtocol.handleAlertMessage(TlsProtocol.java:241)

  private lateinit var serverIps: List<InetAddress>

  @BeforeEach
  fun setUp(server: MockWebServer) {
    this.server = server
    platform.assumeHttp2Support()
    platform.assumeNotBouncyCastle()
    rootCa =
      HeldCertificate.Builder()
        .serialNumber(1L)
        .certificateAuthority(0)
        .commonName("root")
        .build()
    certificate =
      HeldCertificate.Builder()

  @RegisterExtension
  var clientTestRule = OkHttpClientTestRule()

  private lateinit var server: MockWebServer

  @BeforeEach
  fun setup(server: MockWebServer) {
    this.server = server
    platform.assumeNotBouncyCastle()
  }

  /**
   * The pinner should pull the root certificate from the trust manager.
   */
  @Test
  fun pinRootNotPresentInChain() {
    // Fails on 11.0.1 https://github.com/square/okhttp/issues/4703

    assertThat(handshake.peerPrincipal).isNull()
    assertThat(handshake.peerCertificates.size).isEqualTo(0)
  }

  @Test
  fun httpsWithClientAuth() {
    platform.assumeNotBouncyCastle()
    platform.assumeNotConscrypt()
    val clientCa =
      HeldCertificate.Builder()
        .certificateAuthority(0)
        .build()
    val serverCa =
      HeldCertificate.Builder()

    assertThat(handshake.peerPrincipal).isNull()
    assertThat(handshake.peerCertificates.size).isEqualTo(0)
  }

  @Test
  fun httpsWithClientAuth() {
    platform.assumeNotBouncyCastle()
    platform.assumeNotConscrypt()

    val clientCa =
      HeldCertificate.Builder()
        .certificateAuthority(0)
        .build()
    val serverCa =
      HeldCertificate.Builder()