}
            throw new SmbException(resp.getErrorCode(), null);
        }
        if (resp.isVerifyFailed()) {
            throw new SmbException("Signature verification failed.");
        }
        return cont;
    }

    /**
     * @param request
     * @param response
     * @throws SmbException
     */

                    return; // Success, exit retry loop
                } catch (Exception verifyException) {
                    lastException = verifyException;
                    log.warn("Attempt {} failed during verification: {}", attempt, verifyException.getMessage());
                }
            } catch (Exception e) {
                lastException = e;

    `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`. This tracks a [Chromium
    change][remove_cbc_ecdsa] to remove these cipher suites because they are
    fragile and rarely-used.
 *  New: Don't fall back to common name (CN) verification for hostnames. This
    behavior was deprecated with RFC 2818 in May 2000 and was recently dropped
    from major web browsers.
 *  New: Honor the `Retry-After` response header. HTTP 503 (Unavailable)

	return (isOwnerDerived || combinedPolicy.IsAllowed(parentArgs))
}

// IsAllowedSTS is meant for STS based temporary credentials,
// which implements claims validation and verification other than
// applying policies.
func (sys *IAMSys) IsAllowedSTS(args policy.Args, parentUser string) bool {
	// 1. Determine mapped policies

	isOwnerDerived := parentUser == globalActiveCred.AccessKey

    assertInvalid("http://../", "Invalid URL host: \"..\"")
  }

  @Test
  fun hostnameTelephone() {
    // https://www.gosecure.net/blog/2020/10/27/weakness-in-java-tls-host-verification/

    // Map the single character telephone symbol (℡) to the string "tel".
    assertThat(parse("http://\u2121").host).isEqualTo("tel")

    // Map the Kelvin symbol (K) to the string "k".