}

  private fun certificateSupportHost(
    url: HttpUrl,
    handshake: Handshake,
  ): Boolean {
    val peerCertificates = handshake.peerCertificates

    return peerCertificates.isNotEmpty() &&
      OkHostnameVerifier.verify(url.host, peerCertificates[0] as X509Certificate)
  }

  @Throws(SocketException::class)
  internal fun newCodec(
    client: OkHttpClient,

  )
  fun cipherSuite(): CipherSuite = cipherSuite

  @JvmName("-deprecated_peerCertificates")
  @Deprecated(
    message = "moved to val",
    replaceWith = ReplaceWith(expression = "peerCertificates"),
    level = DeprecationLevel.ERROR,
  )
  fun peerCertificates(): List<Certificate> = peerCertificates

  /** Returns the remote peer's principle, or null if that peer is anonymous. */

    val peerCertificates = cleanedPeerCertificatesFn()

    for (peerCertificate in peerCertificates) {
      // Lazily compute the hashes for each certificate.
      var sha1: ByteString? = null
      var sha256: ByteString? = null

      for (pin in pins) {
        when (pin.hashAlgorithm) {
          "sha256" -> {
            if (sha256 == null) sha256 = peerCertificate.sha256Hash()

        cipherSuite = CipherSuite.TLS_AES_128_GCM_SHA256,
        peerCertificates = listOf(serverCertificate.certificate, serverIntermediate.certificate),
        localCertificates = listOf(),
      )

    assertThat(handshake.tlsVersion).isEqualTo(TlsVersion.TLS_1_3)
    assertThat(handshake.cipherSuite).isEqualTo(CipherSuite.TLS_AES_128_GCM_SHA256)
    assertThat(handshake.peerCertificates).containsExactly(
      serverCertificate.certificate,

      assertTrue(response.code() == 200 || response.code() == 404);
      assertEquals(Protocol.HTTP_2, response.protocol());

      for (Certificate c: response.handshake().peerCertificates()) {
        X509Certificate x = (X509Certificate) c;
        System.out.println(x.getSubjectDN());
      }
    }
  }

        "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=");

    @Override public Response intercept(Chain chain) throws IOException {
      for (Certificate certificate : chain.connection().handshake().peerCertificates()) {
        String pin = CertificatePinner.pin(certificate);
        if (denylist.contains(pin)) {
          throw new IOException("Denylisted peer certificate: " + pin);
        }
      }

      if (!address.hostnameVerifier!!.verify(address.url.host, sslSocketSession)) {
        val peerCertificates = unverifiedHandshake.peerCertificates
        if (peerCertificates.isNotEmpty()) {
          val cert = peerCertificates[0] as X509Certificate
          throw SSLPeerUnverifiedException(
            """
            |Hostname ${address.url.host} not verified:

  override fun getValueNames(): Array<String> {
    return delegate!!.valueNames
  }

  @Throws(SSLPeerUnverifiedException::class)
  override fun getPeerCertificates(): Array<Certificate>? {
    return delegate!!.peerCertificates
  }

  override fun getLocalCertificates(): Array<Certificate>? {
    return delegate!!.localCertificates
  }

  @Throws(SSLPeerUnverifiedException::class)

	// whether they client has sent exactly one (non-CA) leaf certificate.
	peerCertificates := make([]*x509.Certificate, 0, len(r.TLS.PeerCertificates))
	for _, cert := range r.TLS.PeerCertificates {
		if cert.IsCA {
			continue
		}
		peerCertificates = append(peerCertificates, cert)
	}
	r.TLS.PeerCertificates = peerCertificates

	// Now, we have to check that the client has provided exactly one leaf

            .build()

        client.newCall(request).execute().use { response ->
          if (!response.isSuccessful) throw IOException("Unexpected code $response")

          for (certificate in response.handshake!!.peerCertificates) {
            println(CertificatePinner.pin(certificate))
          }
        }
      }
    ```
=== ":material-language-java: Java"
    ```java