socketAdapters
      .find { it.matchesSocketFactory(sslSocketFactory) }
      ?.trustManager(sslSocketFactory)

  override fun newSSLContext(): SSLContext {
    StrictMode.noteSlowCall("newSSLContext")

    return super.newSSLContext()
  }

  override fun buildTrustRootIndex(trustManager: X509TrustManager): TrustRootIndex {
    StrictMode.noteSlowCall("buildTrustRootIndex")

      if (Build.VERSION.SDK_INT == 26) {
        throw IOException("Exception in connect", e)
      } else {
        throw e
      }
    }
  }

  override fun newSSLContext(): SSLContext {
    StrictMode.noteSlowCall("newSSLContext")

    return super.newSSLContext()
  }

  override fun trustManager(sslSocketFactory: SSLSocketFactory): X509TrustManager? =
    socketAdapters
      .find { it.matchesSocketFactory(sslSocketFactory) }

  private val provider: Provider = Conscrypt.newProvider()

  // See release notes https://groups.google.com/forum/#!forum/conscrypt
  // for version differences
  override fun newSSLContext(): SSLContext =
    // supports TLSv1.3 by default (version api is >= 1.4.0)
    SSLContext.getInstance("TLS", provider)

  override fun platformTrustManager(): X509TrustManager {
    val trustManagers =

    applyStrictMode()

    // Not currently safe
    // See https://github.com/square/okhttp/pull/8248
    OkHttpClient()

    assertThat(violations).hasSize(1)
    assertThat(violations[0].message).isEqualTo("newSSLContext")
  }

  @Test
  fun testNewCall() {
    Platform.resetForTests()

    val client = OkHttpClient()

    applyStrictMode()

    // Safe on main

 * ### Android Cleartext Permit Detection
 *
 * Supported on Android 6.0+ via `NetworkSecurityPolicy`.
 */
open class Platform {
  /** Prefix used on custom headers. */
  fun getPrefix() = "OkHttp"

  open fun newSSLContext(): SSLContext = SSLContext.getInstance("TLS")

  open fun platformTrustManager(): X509TrustManager {
    val factory =
      TrustManagerFactory.getInstance(
        TrustManagerFactory.getDefaultAlgorithm(),
      )

 *
 * Requires org.bouncycastle:bctls-jdk15on on the classpath.
 */
class BouncyCastlePlatform private constructor() : Platform() {
  private val provider: Provider = BouncyCastleJsseProvider()

  override fun newSSLContext(): SSLContext = SSLContext.getInstance("TLS", provider)

  override fun platformTrustManager(): X509TrustManager {
    val factory =
      TrustManagerFactory.getInstance(
        "PKIX",

  // and because it's a common pattern for VMs to have differences between supported and
  // defaulted versions for TLS based on what is requested.
  override fun newSSLContext(): SSLContext = SSLContext.getInstance("TLSv1.3", provider)

  override fun platformTrustManager(): X509TrustManager {
    val factory =
      TrustManagerFactory.getInstance(

    // sun.security.ssl to unnamed module @xxx
    throw UnsupportedOperationException(
      "clientBuilder.sslSocketFactory(SSLSocketFactory) not supported on JDK 8 (>= 252) or JDK 9+",
    )
  }

  override fun newSSLContext(): SSLContext =
    when {
      majorVersion != null && majorVersion >= 9 ->
        SSLContext.getInstance("TLS")
      else ->
        try {
          // Based on SSLSocket.getApplicationProtocol check we should

          authType: String?,
        ) {}

        override fun getAcceptedIssuers(): Array<X509Certificate> = arrayOf()
      }

    val sslContext =
      Platform.get().newSSLContext().apply {
        init(null, arrayOf(trustManager), null)
      }
    val sslSocketFactory = sslContext.socketFactory

    val hostnameVerifier = HostnameVerifier { _, _ -> true }

    client =

          uri: URI,
          socketAddress: SocketAddress,
          e: IOException,
        ) {}
      }

    val trustManager = get().platformTrustManager()
    val sslContext = get().newSSLContext()
    sslContext.init(null, null, null)

    // new client, may share all same fields but likely different connection pool
    assertNotSame(
      client.routeDatabase,
      OkHttpClient
        .Builder()