.serialNumber(4L)
        .signedBy(certA)
        .build()
    val cleaner =
      get(
        selfSigned.certificate,
        trusted.certificate,
      )
    assertThat(cleaner.clean(list(certB, certA), "hostname")).isEqualTo(
      list(certB, certA, trusted, selfSigned),
    )
    assertThat(cleaner.clean(list(certB, certA, trusted), "hostname")).isEqualTo(
      list(certB, certA, trusted, selfSigned),

 *     serverSocket.close();
 *   }
 * }
 * }
 *
 * <p id="cleaner">Here is how you might achieve the same thing using {@link java.lang.ref.Cleaner
 * Cleaner}, if you are using a Java version where that is available:
 *
 * {@snippet :
 * public class MyServer implements Closeable {
 *   private static final Cleaner cleaner = Cleaner.create();
 *   // You might also share this between several objects.
 *

    assertThat(serverSocket.isClosed()).isTrue();
  }

  @SuppressWarnings("Java8ApiChecker")
  static class MyServerExampleWithCleaner implements AutoCloseable {
    private static final Cleaner cleaner = Cleaner.create();

    private static Runnable closeServerSocketRunnable(
        ServerSocket serverSocket, AtomicBoolean cleanerRan) {
      return () -> {
        try {
          serverSocket.close();

 * certificate.
 *
 * Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to
 * the TLS handshake and to extract the trusted CA certificate for the benefit of certificate
 * pinning.
 */
abstract class CertificateChainCleaner {
  @Throws(SSLPeerUnverifiedException::class)
  abstract fun clean(
    chain: List<Certificate>,
    hostname: String,
  ): List<Certificate>

import java.security.cert.X509Certificate
import java.util.ArrayDeque
import java.util.Deque
import javax.net.ssl.SSLPeerUnverifiedException

/**
 * A certificate chain cleaner that uses a set of trusted root certificates to build the trusted
 * chain. This class duplicates the clean chain building performed during the TLS handshake. We
 * prefer other mechanisms where they exist, such as with

   * has consumed the entire input and they are ready to output a {@code HashCode}. The order of the
   * hashers are the same order as the functions given to the constructor.
   */
  // this could be cleaner if it passed HashCode[], but that would create yet another array...
  /* protected */ abstract HashCode makeHash(Hasher[] hashers);

  @Override
  public Hasher newHasher() {

      }
    }
  }

  /**
   * Not checking the CA bit created a vulnerability in old OkHttp releases. It is exploited by
   * triggering different chains to be discovered by the TLS engine and our chain cleaner. In this
   * attack there's several different chains.
   *
   *
   * The victim's gets a non-CA certificate signed by a CA, and pins the CA root and/or
   * intermediate. This is business as usual.
   *

                  // is undefined in shutdown hooks.
                  // This is because the logging code installs a shutdown hook of its
                  // own. See Cleaner class inside {@link LogManager}.
                  service.awaitTermination(terminationTimeout, timeUnit);
                } catch (InterruptedException ignored) {
                  // We're shutting down anyway, so just ignore.

                    pathToLease.remove(entry.getValue().getPath());
                    cleaned++;
                    log.debug("Cleaned up expired lease: {}", entry.getKey());
                }
            }

            if (cleaned > 0) {
                log.info("Cleaned up {} expired leases", cleaned);
            }

            return cleaned;
        } finally {
            lock.writeLock().unlock();
        }
    }

                        cleaned++;
                    } catch (Exception e) {
                        log.error("Failed to auto-close resource: {}", holder.resourceId, e);
                    }
                }
            }
        }

        if (cleaned > 0) {
            log.info("Cleaned up {} abandoned resources", cleaned);
        }
    }

    /**