assertEquals("192.168.1.100", rateLimitHelper.getClientIp(request));
    }

    @Test
    public void test_getClientIp_xForwardedFor_trustedProxy() {
        // 127.0.0.1 is configured as a trusted proxy by default
        final MockletHttpServletRequest request = getMockRequest();
        request.setRemoteAddr("127.0.0.1");
        request.addHeader("X-Forwarded-For", "203.0.113.50, 70.41.3.18, 150.172.238.178");

-----------------------

The above example uses a self-signed certificate. This is convenient for testing but not
representative of real-world HTTPS deployment. To get closer to that we can use `HeldCertificate`
to generate a trusted root certificate, an intermediate certificate, and a server certificate.
We use `certificateAuthority(int)` to create certificates that can sign other certificates. The

 * called certificate authorities (CAs).
 *
 * Browsers and other HTTP clients need a set of trusted root certificates to authenticate their
 * peers. Sets of root certificates are managed by either the HTTP client (like Firefox), or the
 * host platform (like Android). In July 2018 Android had 134 trusted root certificates for its HTTP
 * clients to trust.
 *

* Caddy (that can also handle certificate renewals)
* Nginx
* HAProxy

## Let's Encrypt { #lets-encrypt }

Before Let's Encrypt, these **HTTPS certificates** were sold by trusted third parties.

The process to acquire one of these certificates used to be cumbersome, require quite some paperwork and the certificates were quite expensive.

But then **[Let's Encrypt](https://letsencrypt.org/)** was created.

```bash
gpg --verify plugin-publish-plugin-2.0.0.jar.asc plugin-publish-plugin-2.0.0.jar
```

If you see a warning message like `gpg: WARNING: This key is not certified with a trusted signature!`, you can locally sign the Gradle key after importing it.
This tells your GPG installation that you trust this key and will prevent the warning from appearing again.

To do this, run the following command:

```bash

  ) {
    enum class Type {
      Handshake,
      Plaintext,
      Encrypted,
      Setup,
      Unknown,
    }

    val type: Type
      get() =
        when {
          message == "adding as trusted certificates" -> Type.Setup
          message == "Raw read" || message == "Raw write" -> Type.Encrypted
          message == "Plaintext before ENCRYPTION" || message == "Plaintext after DECRYPTION" -> Type.Plaintext

 * [okhttp-stats](https://github.com/flipkart-incubator/okhttp-stats): Get stats like average network speed.
 * [okhttp-system-keystore](https://github.com/charleskorn/okhttp-system-keystore): Use trusted certificates from the operating system keystore (Keychain on macOS, Certificate Store on Windows).
 * ⬜️ [Okio](https://github.com/square/okio/): A modern I/O API for Java.

 *       class instead.
 *   <li>If checking an <i>impossible</i> condition (which <i>cannot</i> happen unless your own
 *       class or its <i>trusted</i> dependencies is badly broken), this is what ordinary Java
 *       assertions are for. Note that assertions are not enabled by default; they are essentially
 *       considered "compiled comments."

    `EventSourceListener.onOpen()`.
 *  Fix: Enforce the max intermediates constraint when using pinned certificates with Conscrypt.
    This impacts Conscrypt when the server's presented certificates form both a trusted-but-unpinned
    chain and an untrusted-but-pinned chain.
 *  Upgrade: [Kotlin 1.6.10][kotlin_1_6_10].


## Version 5.0.0-alpha.3

_2021-11-22_

          this.routeDatabase = null
        }

        this.hostnameVerifier = hostnameVerifier
      }

    /**
     * Sets the certificate pinner that constrains which certificates are trusted. By default HTTPS
     * connections rely on only the [SSL socket factory][sslSocketFactory] to establish trust.
     * Pinning certificates avoids the need to trust certificate authorities.
     */