}
        } else if (platformSystemProperty == CONSCRYPT_PROPERTY) {
          if (Security.getProviders()[0].name != "Conscrypt") {
            if (!Conscrypt.isAvailable()) {
              System.err.println("Warning: Conscrypt not available")
            }

            val provider =
              Conscrypt
                .newProviderBuilder()
                .provideTrustManager(true)
                .build()

        compileOnly(libs.conscrypt.openjdk)
        implementation(libs.androidx.annotation)
        implementation(libs.androidx.startup.runtime)
      }
    }

    jvmMain {
      dependsOn(commonJvmAndroid)

      dependencies {
        // These compileOnly dependencies must also be listed in applyOsgiMultiplatform() below.
        compileOnly(libs.conscrypt.openjdk)

        is SSLHandshakeException -> {
          // JDK 11+
        }
        is SSLException -> {
          // javax.net.ssl.SSLException: readRecord
        }
        is SocketException -> {
          // Conscrypt, JDK 8 (>= 292), JDK 9
        }
        else -> {
          assertThat(expected.message).isEqualTo("exhausted all routes")
        }
      }
    }
  }

  @Test
  fun commonNameIsNotTrusted() {

 *  Fix: Embed Proguard rules to prevent warnings from tools like DexGuard and R8. These warnings
    were triggered by OkHttp’s feature detection for TLS packages like `org.conscrypt`,
    `org.bouncycastle`, and `org.openjsse`.
 *  Upgrade: Explicitly depend on `kotlin-stdlib-jdk8`. This fixes a problem with dependency
    locking. That's a potential security vulnerability, tracked as [CVE-2022-24329].

 * Conscrypt.
 *
 * [iana_tls_parameters]: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
 * [sslengine]: https://developer.android.com/reference/javax/net/ssl/SSLEngine.html
 * [oracle_providers]: https://docs.oracle.com/javase/10/security/oracle-providers.htm
 * [conscrypt_providers]: https://github.com/google/conscrypt/blob/master/common/src/main/java/org/conscrypt/NativeCrypto.java

  testconscrypt:
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/master' || contains(github.event.pull_request.labels.*.name, 'conscrypt')

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Configure JDK
        uses: actions/setup-java@v5
        with:
          distribution: 'zulu'

        error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
        failure (external/openssl/ssl/s23_clnt.c:770 0x7f2728a53ea0:0x00000000)
    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
```

You can check a web server's configuration using [Qualys SSL Labs][qualys]. OkHttp's TLS
configuration history is [tracked here](../security/tls_configuration_history.md).

        |lu/GJQZoU9lDrCPeUcQ28tzOWw==
        |-----END PRIVATE KEY-----
        |
        """.trimMargin(),
      )
      fail<Any>()
    } catch (expected: IllegalArgumentException) {
      if (!platform.isConscrypt()) {
        assertThat(expected.message).isEqualTo("failed to decode certificate")
      }
    }
    try {
      decode(
        """
        |-----BEGIN CERTIFICATE-----