*         -> phonyVictim
   * ```
   *
   * Some implementations fail the TLS handshake when they see the long chain, and don't give
   * CertificatePinner the opportunity to produce a different chain from their own. This includes
   * the OpenJDK 11 TLS implementation, which itself fails the handshake when it encounters a non-CA
   * certificate.
   */
  @Test
  fun signersMustHaveCaBitSet() {
    val attackerCa =