"https://www.googleapis.com/robots.txt",
      "https://graph.facebook.com/robots.txt",
      "https://api.twitter.com/robots.txt",
      "https://connect.squareup.com/robots.txt",
    )

  println("TLS1.3+TLS1.2")
  testClient(urls, buildClient(ConnectionSpec.RESTRICTED_TLS))

  println("\nTLS1.3 only")
  testClient(urls, buildClient(TLS_13))

  println("\nTLS1.3 then fallback")

    return suites.firstOrNull {
      it.name == javaName || it.name == "TLS_${javaName.drop(4)}"
    } ?: throw IllegalArgumentException("No such suite: $javaName")
  }
}

suspend fun fetchIanaSuites(okHttpClient: OkHttpClient): IanaSuites {
  val url = "https://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv"

  val call = okHttpClient.newCall(Request(url.toHttpUrl()))

  val suites =

      return when {
        javaName.startsWith("TLS_") -> "SSL_" + javaName.substring(4)
        javaName.startsWith("SSL_") -> "TLS_" + javaName.substring(4)
        else -> javaName
      }
    }

    /**
     * @param javaName the name used by Java APIs for this cipher suite. Different than the IANA
     *     name for older cipher suites because the prefix is `SSL_` instead of `TLS_`.

			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		}
	}
	return []uint16{
		tls.TLS_CHACHA20_POLY1305_SHA256, // TLS 1.3
		tls.TLS_AES_128_GCM_SHA256,
		tls.TLS_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, // TLS 1.2
		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

package config

import (
	"bytes"
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"errors"
	"os"

	"github.com/minio/pkg/v3/env"
)

// EnvCertPassword is the environment variable which contains the password used
// to decrypt the TLS private key. It must be set if the TLS private key is
// password protected.
const EnvCertPassword = "MINIO_CERT_PASSWD"

      "plan 0 cancel",
      "plan 1 TLS connecting...",
      "plan 1 TLS connected",
      "plan 2 TCP connecting...",
    )

    taskFaker.advanceUntil(270.ms)
    assertEvents(
      "plan 0 TCP connect canceled",
    )

    taskFaker.advanceUntil(280.ms)
    assertEvents(
      "plan 2 TCP connected",
      "plan 2 TLS connecting...",
      "plan 2 TLS connected",
    )

As only one process can be listening on this port, the process that would do it would be the **TLS Termination Proxy**.

The TLS Termination Proxy would have access to one or more **TLS certificates** (HTTPS certificates).

Using the **SNI extension** discussed above, the TLS Termination Proxy would check which of the TLS (HTTPS) certificates available it should use for this connection, using the one that matches the domain expected by the client.

--------

```kotlin
implementation("com.squareup.okhttp3:okhttp-tls:4.12.0")
```

 [held_certificate]: https://square.github.io/okhttp/4.x/okhttp-tls/okhttp3.tls/-held-certificate/
 [held_certificate_builder]: https://square.github.io/okhttp/4.x/okhttp-tls/okhttp3.tls/-held-certificate/-builder/
 [handshake_certificates]: https://square.github.io/okhttp/4.x/okhttp-tls/okhttp3.tls/-handshake-certificates/

	cfg.PathPrefix = env.Get(EnvEtcdPathPrefix, kvs.Get(PathPrefix))
	if etcdSecure {
		cfg.TLS = &tls.Config{
			RootCAs:                  rootCAs,
			PreferServerCipherSuites: true,
			MinVersion:               tls.VersionTLS12,
			NextProtos:               []string{"http/1.1", "h2"},
			ClientSessionCache:       tls.NewLRUClientSessionCache(64),
			CipherSuites:             fips.TLSCiphersBackwardCompatible(),

	tlsConfig, err := saramatls.NewConfig(args.TLS.ClientTLSCert, args.TLS.ClientTLSKey)
	if err != nil {
		target.loggerOnce(context.Background(), err, target.ID().String())
		return err
	}

	config.Net.TLS.Enable = args.TLS.Enable
	config.Net.TLS.Config = tlsConfig
	config.Net.TLS.Config.InsecureSkipVerify = args.TLS.SkipVerify
	config.Net.TLS.Config.ClientAuth = args.TLS.ClientAuth