* does not participate in any [interceptors][Interceptor] or [event listeners][EventListener]. It
 * doesn't include the motivating request's HTTP headers or even its full URL; only the target
 * server's hostname is sent to the proxy.
 *
 * Prior to sending any CONNECT request OkHttp always calls the proxy authenticator so that it may
 * prepare preemptive authentication. OkHttp will call [authenticate] with a fake `HTTP/1.1 407

    assertContent("This is the 2nd server, again!", getResponse(Request(server2.url("/"))))
    val server1Host = server.hostName + ":" + server.port
    val server2Host = server2.hostName + ":" + server2.port
    assertThat(server.takeRequest().headers["Host"]).isEqualTo(server1Host)
    assertThat(server2.takeRequest().headers["Host"]).isEqualTo(server2Host)

    }
  }

  /** Returns true if [certificate] matches [hostname]. */
  private fun verifyHostname(
    hostname: String,
    certificate: X509Certificate,
  ): Boolean {
    val hostname = hostname.asciiToLowercase()
    return getSubjectAltNames(certificate, ALT_DNS_NAME).any {
      verifyHostname(hostname, it)
    }
  }

  /**

  fun check(
    hostname: String,
    vararg peerCertificates: Certificate,
  ) {
    check(hostname, peerCertificates.toList())
  }

  /**
   * Returns list of matching certificates' pins for the hostname. Returns an empty list if the
   * hostname does not have pinned certificates.
   */
  fun findMatchingPins(hostname: String): List<Pin> = pins.filterList { matchesHostname(hostname) }

    assertThat(encoded).isEqualTo("AAABAAABAAAAAAAABmdvb2dsZQNjb20AABwAAQ")
  }

  @Test
  fun testGoogleDotComDecodingFromCloudflare() {
    val encoded =
      decodeAnswers(
        hostname = "test.com",
        byteString =
          (
            "00008180000100010000000006676f6f676c6503636f6d0000010001c00c0001000100000043" +
              "0004d83ad54e"
          ).decodeHex(),
      )

    server.enqueue(MockResponse())

    val clientCertificates =
      HandshakeCertificates.Builder()
        .addPlatformTrustedCertificates()
        .addInsecureHost(server.hostName)
        .build()

    val client =
      clientTestRule.newClientBuilder()
        .sslSocketFactory(clientCertificates.sslSocketFactory(), clientCertificates.trustManager)
        .build()

      }
    }

    client =
      client.newBuilder()
        .sslSocketFactory(CustomSSLSocketFactory(client.sslSocketFactory), client.x509TrustManager!!)
        .hostnameVerifier { hostname, session ->
          val s = "hostname: $hostname peerHost:${session.peerHost}"
          Log.d("SniOverrideTest", s)
          try {
            val cert = session.peerCertificates[0] as X509Certificate

  override fun configureTlsExtensions(
    sslSocket: SSLSocket,
    hostname: String?,
    protocols: List<Protocol>,
  ) {
    getDelegate(sslSocket)?.configureTlsExtensions(sslSocket, hostname, protocols)
  }

  override fun getSelectedProtocol(sslSocket: SSLSocket): String? {
    return getDelegate(sslSocket)?.getSelectedProtocol(sslSocket)
  }

    val clientCertificates =
      HandshakeCertificates.Builder()
        .addPlatformTrustedCertificates()
        .apply {
          if (Build.VERSION.SDK_INT >= 24) {
            addInsecureHost(server.hostName)
          }
        }
        .build()

    client =
      client.newBuilder()
        .sslSocketFactory(clientCertificates.sslSocketFactory(), clientCertificates.trustManager)
        .build()

  @SuppressSignatureCheck
  override fun clean(
    chain: List<Certificate>,
    hostname: String,
  ): List<Certificate> {
    val certificates = (chain as List<X509Certificate>).toTypedArray()
    try {
      return x509TrustManagerExtensions.checkServerTrusted(certificates, "RSA", hostname)
    } catch (ce: CertificateException) {
      throw SSLPeerUnverifiedException(ce.message).apply { initCause(ce) }
    }