}

  private fun certificateSupportHost(
    url: HttpUrl,
    handshake: Handshake,
  ): Boolean {
    val peerCertificates = handshake.peerCertificates

    return peerCertificates.isNotEmpty() &&
      OkHostnameVerifier.verify(url.host, peerCertificates[0] as X509Certificate)
  }

  @Throws(SocketException::class)
  internal fun newCodec(
    client: OkHttpClient,

    val peerCertificates = cleanedPeerCertificatesFn()

    for (peerCertificate in peerCertificates) {
      // Lazily compute the hashes for each certificate.
      var sha1: ByteString? = null
      var sha256: ByteString? = null

      for (pin in pins) {
        when (pin.hashAlgorithm) {
          "sha256" -> {
            if (sha256 == null) sha256 = peerCertificate.sha256Hash()

      if (!address.hostnameVerifier!!.verify(address.url.host, sslSocketSession)) {
        val peerCertificates = unverifiedHandshake.peerCertificates
        if (peerCertificates.isNotEmpty()) {
          val cert = peerCertificates[0] as X509Certificate
          throw SSLPeerUnverifiedException(
            """
            |Hostname ${address.url.host} not verified:

	// whether they client has sent exactly one (non-CA) leaf certificate.
	peerCertificates := make([]*x509.Certificate, 0, len(r.TLS.PeerCertificates))
	for _, cert := range r.TLS.PeerCertificates {
		if cert.IsCA {
			continue
		}
		peerCertificates = append(peerCertificates, cert)
	}
	r.TLS.PeerCertificates = peerCertificates

	// Now, we have to check that the client has provided exactly one leaf

            .build()

        client.newCall(request).execute().use { response ->
          if (!response.isSuccessful) throw IOException("Unexpected code $response")

          for (certificate in response.handshake!!.peerCertificates) {
            println(CertificatePinner.pin(certificate))
          }
        }
      }
    ```
=== ":material-language-java: Java"
    ```java

    assertThat(handshake.localPrincipal).isNotNull()
    assertThat(handshake.localCertificates.size).isEqualTo(1)
    assertThat(handshake.peerPrincipal).isNull()
    assertThat(handshake.peerCertificates.size).isEqualTo(0)
  }

  @Test
  fun httpsWithClientAuth() {
    platform.assumeNotBouncyCastle()
    platform.assumeNotConscrypt()

    val clientCa =
      HeldCertificate.Builder()

     * 3
     * Content-Type: image/png
     * Content-Length: 100
     * Cache-Control: max-age=600
     *
     * AES_256_WITH_MD5
     * 2
     * base64-encoded peerCertificate[0]
     * base64-encoded peerCertificate[1]
     * -1
     * TLSv1.2
     * ```
     *
     * The file is newline separated. The first two lines are the URL and the request method. Next

    val tlsVersion: TlsVersion = handshake.tlsVersion()
    val cipherSuite: CipherSuite = handshake.cipherSuite()
    val peerCertificates: List<Certificate> = handshake.peerCertificates()
    val peerPrincipal: Principal? = handshake.peerPrincipal()
    val localCertificates: List<Certificate> = handshake.localCertificates()

        -----END CERTIFICATE-----
        """.trimIndent(),
      )
    val peerCertificate = session.peerCertificates[0] as X509Certificate

    if (isAndroid || platform.isConscrypt()) {
      assertThat(certificateSANs(peerCertificate)).containsExactly("bar.com")
    } else {
      assertThat(certificateSANs(peerCertificate)).containsExactly("bar.com", "������.co.jp")
    }

    assertThat(handshake.localPrincipal).isNotNull()
    assertThat(handshake.localCertificates.size).isEqualTo(1)
    assertThat(handshake.peerPrincipal).isNull()
    assertThat(handshake.peerCertificates.size).isEqualTo(0)
  }

  @Test
  fun httpsWithClientAuth() {
    platform.assumeNotBouncyCastle()
    platform.assumeNotConscrypt()
    val clientCa =
      HeldCertificate.Builder()