---

<a name="tlsv13_only"></a>
#### ¹ TLSv1.3 Only

Cipher suites that are only available with TLSv1.3.

<a name="http2_naughty"></a>
#### ² HTTP/2 Cipher Suite Denylist

Cipher suites that are [discouraged for use][http2_denylist] with HTTP/2. OkHttp includes them because better suites are not commonly available. For example, none of the better cipher suites listed above shipped with Android 4.4 or Java 7.

  return SuiteId(id, matcher.groupValues[3])
}

class IanaSuites(
  val name: String,
  val suites: List<SuiteId>,
) {
  fun fromJavaName(javaName: String): SuiteId =
    suites.firstOrNull {
      it.name == javaName || it.name == "TLS_${javaName.drop(4)}"
    } ?: throw IllegalArgumentException("No such suite: $javaName")
}

 * limitations under the License.
 */
package okhttp3

/**
 * [TLS cipher suites][iana_tls_parameters].
 *
 * **Not all cipher suites are supported on all platforms.** As newer cipher suites are created (for
 * stronger privacy, better performance, etc.) they will be adopted by the platform and then exposed
 * here. Cipher suites that are not available on either Android (through API level 24) or Java

versions](https://square.github.io/okhttp/4.x/okhttp/okhttp3/-tls-version/) and [cipher suites](https://square.github.io/okhttp/4.x/okhttp/okhttp3/-cipher-suite/) to offer. A client that wants to maximize connectivity would include obsolete TLS versions and weak-by-design cipher suites. A strict client that wants to maximize security would be limited to only the latest TLS version and strongest cipher suites.

Specific security vs. connectivity decisions are implemented by [ConnectionSpe...

   * order for a socket to be compatible the enabled cipher suites and protocols must intersect.
   *
   * For cipher suites, at least one of the [required cipher suites][cipherSuites] must match the
   * socket's enabled cipher suites. If there are no required cipher suites the socket must have at
   * least one cipher suite enabled.
   *

  /**
   * To avoid infinite recursion, test suites with these marker features won't have derived suites
   * created for them.
   */
  enum NoRecurse implements Feature<@Nullable Void> {
    SUBMAP,
    DESCENDING;

    @Override
    public Set<Feature<? super @Nullable Void>> getImpliedFeatures() {
      return emptySet();
    }
  }

  /**
   * Creates a suite whose map has some elements filtered out of view.

    socket: SSLSocket,
  ) : DelegatingSSLSocket(socket) {
    override fun setEnabledCipherSuites(suites: Array<String>) {
      val enabledCipherSuites = mutableListOf<String>()
      for (suite in suites) {
        if (suite != TLS_FALLBACK_SCSV) {
          enabledCipherSuites.add(suite)
        }
      }
      delegate!!.enabledCipherSuites = enabledCipherSuites.toTypedArray<String>()
    }
  }

      .isEqualTo(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256.javaName)
  }

  /**
   * On the Oracle JVM some older cipher suites have the "SSL_" prefix and others have the "TLS_"
   * prefix. On the IBM JVM all cipher suites have the "SSL_" prefix.
   *
   * Prior to OkHttp 3.3.1 we accepted either form and consider them equivalent. And since OkHttp

    // Configure cipher suites to demonstrate how to customize which cipher suites will be used for
    // an OkHttp request. In order to be selected a cipher suite must be included in both OkHttp's
    // connection spec and in the SSLSocket's enabled cipher suites array. Most applications should
    // not customize the cipher suites list.
    List<CipherSuite> customCipherSuites = asList(

  /**
   * To avoid infinite recursion, test suites with these marker features won't have derived suites
   * created for them.
   */
  enum NoRecurse implements Feature<@Nullable Void> {
    SUBMAP,
    DESCENDING;

    @Override
    public Set<Feature<? super @Nullable Void>> getImpliedFeatures() {
      return emptySet();
    }
  }

  /**
   * Creates a suite whose map has some elements filtered out of view.