.addSubjectAlternativeName("*.wildcard.com")
        .addSubjectAlternativeName("differentdns.com")
        .build()
    serverIps = Dns.SYSTEM.lookup(server.hostName)
    dns[server.hostName] = serverIps
    dns["san.com"] = serverIps
    dns["nonsan.com"] = serverIps
    dns["www.wildcard.com"] = serverIps
    dns["differentdns.com"] = listOf()
    val handshakeCertificates =
      HandshakeCertificates
        .Builder()

 * `RESTRICTED_TLS` is a secure configuration, intended to meet stricter compliance requirements.
 * `MODERN_TLS` is a secure configuration that connects to modern HTTPS servers.
 * `COMPATIBLE_TLS` is a secure configuration that connects to secure–but not current–HTTPS servers.
 * `CLEARTEXT` is an insecure configuration that is used for `http://` URLs.

        }

        List<Server> servers = settings.getServers();

        if (servers != null) {
            Set<String> serverIds = new HashSet<>();

            for (int i = 0; i < servers.size(); i++) {
                Server server = servers.get(i);

                validateStringNotEmpty(problems, "servers.server[" + i + "].id", server.getId(), null);

                if (!serverIds.add(server.getId())) {

 * that they own the hostnames that they represent. Server authentication is required.
 *
 * To perform server authentication:
 *
 *  * The server's handshake certificates must have a [held certificate][HeldCertificate] (a
 *    certificate and its private key). The certificate's subject alternative names must match the

Recommendations
---------------

Typically servers need a held certificate plus a chain of intermediates. Servers only need the
private key for their own certificate. The chain served by a server doesn't need the root
certificate.

The trusted roots don't need to be the same for client and server when using client authentication.
Clients might rely on the platform certificates and servers might use a private

 *     .build();
 * ```
 *
 * The proxy authenticator may implement preemptive authentication, reactive authentication, or
 * both.
 *
 * Applications may configure OkHttp with an authenticator for origin servers, or proxy servers,
 * or both.
 *
 * ## Authentication Retries
 *
 * If your authentication may be flaky and requires retries you should apply some policy

 2. It attempts to retrieve a connection with that address from the **connection pool**.
 3. If it doesn't find a connection in the pool, it selects a **route** to attempt. This usually means making a DNS request to get the server's IP addresses. It then selects a TLS version and proxy server if necessary.

If you are paying for 3 servers but you are using only a little bit of their RAM and CPU, you are probably **wasting money** 💸, and probably **wasting server electric power** 🌎, etc.

In that case, it could be better to have only 2 servers and use a higher percentage of their resources (CPU, memory, disk, network bandwidth, etc).

class DefaultSettingsDecryptionResult implements SettingsDecryptionResult {

    private List<Server> servers;

    private List<Proxy> proxies;

    private List<SettingsProblem> problems;

    DefaultSettingsDecryptionResult(List<Server> servers, List<Proxy> proxies, List<SettingsProblem> problems) {
        this.servers = (servers != null) ? servers : new ArrayList<>();
        this.proxies = (proxies != null) ? proxies : new ArrayList<>();

# Erasure code sizing guide

## Toy Setups

Capacity constrained environments, MinIO will work but not recommended for production.

| servers | drives (per node) | stripe_size | parity chosen (default) | tolerance for reads (servers) | tolerance for writes (servers) |
|--------:|------------------:|------------:|------------------------:|------------------------------:|-------------------------------:|