}

  /**
   * Attack the CA intermediates check by presenting unrelated chains to the handshake vs.
   * certificate pinner.
   *
   * This chain is valid but not pinned:
   *
   * ```
   *   attackerCa
   *    -> phonyVictim
   * ```
   *
   *
   * This chain is pinned but not valid:
   *
   * ```
   *   attackerCa
   *     -> pinnedRoot (trusted by CertificatePinner)

  /** Can still coalesce when pinning is used if pins match.  */
  @Test
  fun coalescesWhenCertificatePinsMatch() {
    val pinner =
      CertificatePinner
        .Builder()
        .add("san.com", pin(certificate.certificate))
        .build()
    client = client.newBuilder().certificatePinner(pinner).build()
    server.enqueue(MockResponse())
    server.enqueue(MockResponse())

 * explicitly requested), this also includes that proxy information. For secure connections the
 * address also includes the SSL socket factory, hostname verifier, and certificate pinner.
 *
 * HTTP requests that share the same [Address] may also share the same [Connection].
 */
class Address(
  uriHost: String,
  uriPort: Int,

        enableTls()

        val pinner =
          CertificatePinner
            .Builder()
            .add(server.hostName, pin(handshakeCertificates.trustManager.acceptedIssuers.first()))
            .build()

        overrideBadImplementation(
          override = Override.CertificatePinnerOverride,
          testItFails = testItFails,
          goodValue = pinner,
        )
      }

      else -> {

            unverifiedHandshake.peerCertificates,
            address.url.host,
          )
        }
      this.handshake = handshake

      // Check that the certificate pinner is satisfied by the certificates presented.
      certificatePinner.check(address.url.host) {
        handshake.peerCertificates.map { it as X509Certificate }
      }

OkHttp 2.x Change Log
=====================

## Version 2.7.5

_2016-02-25_

 *  Fix: Change the certificate pinner to always build full chains. This
    prevents a potential crash when using certificate pinning with the Google
    Play Services security provider.


## Version 2.7.4

_2016-02-07_

 *  Fix: Don't crash when finding the trust manager if the Play Services (GMS)
    security provider is installed.

channel, and so forth, because they cannot be pinned with
[runtime.Pinner].

The _GoString_ type also may not be pinned with [runtime.Pinner].
Because it includes a Go pointer, the memory it points to is only pinned
for the duration of the call; _GoString_ values may not be retained by C
code.

A Go function called by C code may return a Go pointer to pinned memory

 *  New: Support SHA-256 pins in certificate pinner.


## Version 3.1.2

_2016-02-10_

 *  Fix: Don’t crash when finding the trust manager on Robolectric. We attempted
    to detect the host platform and got confused because Robolectric looks like
    Android but isn’t!
 *  Fix: Change `CertificatePinner` to skip sanitizing the certificate chain
    when no certificates were pinned. This avoids an SSL failure in insecure

        if (hostnameVerifier != this.hostnameVerifier) {
          this.routeDatabase = null
        }

        this.hostnameVerifier = hostnameVerifier
      }

    /**
     * Sets the certificate pinner that constrains which certificates are trusted. By default HTTPS
     * connections rely on only the [SSL socket factory][sslSocketFactory] to establish trust.

cryptapi-banner.svg...