*
 * Supported on OpenJDK 8 via the JettyALPN-boot library or Conscrypt.
 *
 * Supported on OpenJDK 9+ via SSLParameters and SSLSocket features.
 *
 * ### Trust Manager Extraction
 *
 * Supported on Android 2.3+ and OpenJDK 7+. There are no public APIs to recover the trust
 * manager that was used to create an [SSLSocketFactory].
 *
 * Not supported by choice on JDK9+ due to access checks.
 *
 * ### Android Cleartext Permit Detection
 *

    assertThat(actual).isNotNull()
  }

  private fun enableTls() {
    // Generate a self-signed cert for the server to serve and the client to trust.
    // can't use TlsUtil.localhost with a non OpenJSSE trust manager
    val heldCertificate =
      HeldCertificate.Builder()
        .commonName("localhost")
        .addSubjectAlternativeName("localhost")
        .build()
    val handshakeCertificates =

    had a crash `IllegalArgumentException: Not a Conscrypt trust manager` because we depended on
    initialization order of companion objects.


## Version 4.7.1

_2020-05-18_

 *  Fix: Pass the right arguments in the trust manager created for `addInsecureHost()`. Without the
    fix insecure hosts crash with an `IllegalArgumentException` on Android.

    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(null, new TrustManager[] { trustManager }, null);

    return sslContext.getSocketFactory();
  }

  /** Returns a trust manager that trusts the VM's default certificate authorities. */
  private X509TrustManager defaultTrustManager() throws GeneralSecurityException {
    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(

   * Returns a cleaned chain for [chain].
   *
   * This method throws if the complete chain to a trusted CA certificate cannot be constructed.
   * This is unexpected unless the trust root index in this class has a different trust manager than
   * what was used to establish [chain].
   */
  @Throws(SSLPeerUnverifiedException::class)
  override fun clean(
    chain: List<Certificate>,
    hostname: String,
  ): List<Certificate> {

import okhttp3.internal.connection.ForceConnectRoutePlanner
import okhttp3.internal.connection.RealConnectionPool
import okhttp3.internal.connection.RealRoutePlanner
import okhttp3.internal.connection.RouteDatabase

/**
 * Manages reuse of HTTP and HTTP/2 connections for reduced network latency. HTTP requests that
 * share the same [Address] may share a [Connection]. This class implements the policy
 * of which connections to keep open for future use.
 *

      this.headerBlock = headerBlock
    }

    override fun alternateService(
      streamId: Int,
      origin: String,
      protocol: ByteString,
      host: String,
      port: Int,
      maxAge: Long,
    ) {
      throw UnsupportedOperationException()
    }
  }

  companion object {
    private val logger = Logger.getLogger(MockHttp2Peer::class.java.name)
  }

            "Unable to extract the trust manager on ${Platform.get()}, " +
              "sslSocketFactory is ${sslSocketFactory.javaClass}",
          )
        this.certificateChainCleaner =
          Platform.get().buildCertificateChainCleaner(x509TrustManagerOrNull!!)
      }

    /**
     * Sets the socket factory and trust manager used to secure HTTPS connections. If unset, the

    }
  }

  @Throws(Exception::class)
  private fun processHandshakeFailure(raw: Socket) {
    val context = SSLContext.getInstance("TLS")
    context.init(null, arrayOf<TrustManager>(UNTRUSTED_TRUST_MANAGER), SecureRandom())
    val sslSocketFactory = context.socketFactory
    val socket =
      sslSocketFactory.createSocket(
        raw,
        raw.inetAddress.hostAddress,
        raw.port,
        true,

 *  New: Support SHA-256 pins in certificate pinner.


## Version 3.1.2

_2016-02-10_

 *  Fix: Don’t crash when finding the trust manager on Robolectric. We attempted
    to detect the host platform and got confused because Robolectric looks like
    Android but isn’t!
 *  Fix: Change `CertificatePinner` to skip sanitizing the certificate chain