return result
  }

  class Builder {
    internal val namesAndValues: MutableList<String> = ArrayList(20)

    /**
     * Add a header line without any validation. Only appropriate for headers from the remote peer
     * or cache.
     */
    internal fun addLenient(line: String) =
      apply {
        val index = line.indexOf(':', 1)
        when {
          index != -1 -> {

 * client.newCall(request).execute();
 * ```
 *
 * As expected, this fails with a certificate pinning exception:
 *
 * ```java
 * javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure!
 * Peer certificate chain:
 *     sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=publicobject.com, OU=PositiveSSL
 *     sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA

object Http2 {
  @JvmField
  val CONNECTION_PREFACE = "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n".encodeUtf8()

  /** The initial max frame size, applied independently writing to, or reading from the peer. */
  const val INITIAL_MAX_FRAME_SIZE = 0x4000 // 16384

  const val TYPE_DATA = 0x0
  const val TYPE_HEADERS = 0x1
  const val TYPE_PRIORITY = 0x2
  const val TYPE_RST_STREAM = 0x3
  const val TYPE_SETTINGS = 0x4

    shouldntImpactConnection[Settings.INITIAL_WINDOW_SIZE] = 3368
    peer.sendFrame().settings(initial)
    peer.acceptFrame() // ACK
    peer.sendFrame().settings(shouldntImpactConnection)
    peer.acceptFrame() // ACK 2
    peer.acceptFrame() // HEADERS
    peer.play()
    val connection = connect(peer)

    // Verify the peer received the second ACK.
    val ackFrame = peer.takeFrame()

      if (context.executionException.isPresent) return@AfterEachCallback
      assertThat(data.readByteString().hex(), "Data not empty")
        .isEqualTo("")
    }

  // Mutually exclusive. Use the one corresponding to the peer whose behavior you wish to test.
  private val serverWriter =
    WebSocketWriter(
      isClient = false,
      sink = data,
      random = random,
      perMessageDeflate = false,
      noContextTakeover = false,

 *    from the peer.
 *
 * Web sockets may fail due to HTTP upgrade problems, connectivity problems, or if either peer
 * chooses to short-circuit the graceful shutdown process:
 *
 *  * **Canceled:** the web socket connection failed. Messages that were successfully enqueued by
 *    either peer may not have been transmitted to the other.
 *

As part of this, we need to pick the correct certificate to serve on behalf of the destination workload.
As discussed in [HBONE](#hbone), this is based on the destination IP.
Additionally, we enforce the peer has a valid mesh identity (but do not assert _which_ identity, yet).

Next, we terminate the CONNECT.
From the [headers](#headers), we know the target destination.

     * followed by those lines.
     *
     * HTTPS responses also contain SSL session information. This begins with a blank line, and then
     * a line containing the cipher suite. Next is the length of the peer certificate chain. These
     * certificates are base64-encoded and appear each on their own line. The next line contains the
     * length of the local certificate chain. These certificates are also base64-encoded and appear

  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;

  // items is a list of schema objects.
  repeated NetworkPolicy items = 2;
}

// NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
// fields are allowed
message NetworkPolicyPeer {
  // podSelector is a label selector which selects pods. This field follows standard label

    server.useHttps(handshakeCertificates.sslSocketFactory(), false)
    ```

    Get these strings with `HeldCertificate.certificatePem()` and `privateKeyPkcs8Pem()`.

 *  Fix: Handshake now returns peer certificates in canonical order: each certificate is signed by
    the certificate that follows and the last certificate is signed by a trusted root.