| [Corretto]       | ✅      | ✅           | [OpenSSL]       | Amazon's high-performance provider. [Tracking bug.][bug5592] |

All providers support HTTP/1.1 and TLSv1.2.


[BoringSSL]: https://boringssl.googlesource.com/boringssl/
[Bouncy Castle]: https://www.bouncycastle.org/java.html
[Conscrypt]: https://www.conscrypt.org/
[Corretto]: https://github.com/corretto/amazon-corretto-crypto-provider
[GraalVM]: https://www.graalvm.org/

HTTPS
=====

OkHttp attempts to balance two competing concerns:

 * **Connectivity** to as many hosts as possible. That includes advanced hosts that run the latest versions of [boringssl](https://boringssl.googlesource.com/boringssl/) and less out of date hosts running older versions of [OpenSSL](https://www.openssl.org/).

security.

OkHttp uses your platform's built-in TLS implementation. On Java platforms OkHttp also supports
[Conscrypt][conscrypt], which integrates [BoringSSL](https://github.com/google/boringssl) with Java. OkHttp will use Conscrypt if it is
the first security provider:

```java
Security.insertProviderAt(Conscrypt.newProvider(), 1);
```

bazel_dep(name = "snappy", version = "1.2.2.bcr.1")
bazel_dep(name = "zlib", version = "1.3.1.bcr.7")
bazel_dep(name = "libpng", version = "1.6.50.bcr.1", repo_name = "png")
bazel_dep(name = "boringssl", version = "0.20250818.0")
bazel_dep(name = "highway", version = "1.3.0", repo_name = "com_google_highway")
single_version_override(
    module_name = "highway",
    patch_strip = 1,
    patches = [

def set_system_libs_flag(environ_cp):
  """Set system libs flags."""
  syslibs = environ_cp.get('TF_SYSTEM_LIBS', '')

  if is_s390x() and 'boringssl' not in syslibs:
    syslibs = 'boringssl' + (', ' + syslibs if syslibs else '')

  if syslibs:
    if ',' in syslibs:
      syslibs = ','.join(sorted(syslibs.split(',')))
    else:

    "@png//:__subpackages__",
    "@sobol_data//:__subpackages__",
    "@stablehlo//:__subpackages__",
    "@tf_runtime//:__subpackages__",
    "@bazel_tools//:__subpackages__",
    "@boringssl//:__subpackages__",
    "@com_github_cares_cares//:__subpackages__",
    "@com_github_googlecloudplatform_tensorflow_gcp_tools//:__subpackages__",
    "@com_github_grpc_grpc//:__subpackages__",

    interval of 30 seconds is reasonable for most use cases.

 *  **OkHttp now supports [Conscrypt][conscrypt].** Conscrypt is a Java Security
    Provider that integrates BoringSSL into the Java platform. Conscrypt
    supports more cipher suites than the JVM’s default provider and may also
    execute more efficiently.

    To use it, first register a [Conscrypt dependency][conscrypt_dependency] in

only used for randomly-selected w in the // context of RSA key generation, we can use a smaller number of iterations. // The exact number depends on the size of the prime (and the implied // security level). See BoringSSL for the full formula. // https://cs.opensource.google/boringssl/boringssl/+/master:crypto/fipsmodule/bn/prime.c.inc;l=208-283;drc=3a138e43 bits := mr.w.BitLen() var iterations int switch { case bits >= 3747: iterations = 3 case bits >= 1345: iterations = 4 case bits >= 476: iterations...

only used for randomly-selected w in the // context of RSA key generation, we can use a smaller number of iterations. // The exact number depends on the size of the prime (and the implied // security level). See BoringSSL for the full formula. // https://cs.opensource.google/boringssl/boringssl/+/master:crypto/fipsmodule/bn/prime.c.inc;l=208-283;drc=3a138e43 bits := mr.w.BitLen() var iterations int switch { case bits >= 3747: iterations = 3 case bits >= 1345: iterations = 4 case bits >= 476: iterations...