TlsVersion.TLS_1_3,
      ) // v1.2 on OpenJDK 8.
    val request1 = server.takeRequest()
    assertThat(tlsVersions).contains(request1.handshake?.tlsVersion)
    val request2 = server.takeRequest()
    assertThat(tlsVersions).contains(request2.handshake?.tlsVersion)
  }

  /**
   * Verify that we don't retry connections on certificate verification errors.
   *

    assertThat(secureStart.call).isSameAs(call)
    val secureEnd = listener.removeUpToEvent<SecureConnectEnd>()
    assertThat(secureEnd.call).isSameAs(call)
    assertThat(secureEnd.handshake).isNotNull()
  }

  @Test
  fun failedSecureConnect() {
    enableTlsWithTunnel()
    server.enqueue(
      MockResponse.Builder()
        .socketPolicy(FailHandshake)
        .build(),
    )

まず、ブラウザは**DNSサーバー**に**ドメインに対するIP**が何であるかを確認します。今回は、`someapp.example.com`とします。

DNSサーバーは、ブラウザに特定の**IPアドレス**を使用するように指示します。このIPアドレスは、DNSサーバーで設定した、あなたのサーバーが使用するパブリックIPアドレスになります。

<img src="/img/deployment/https/https01.svg">

### TLS Handshake の開始

ブラウザはIPアドレスと**ポート443**（HTTPSポート）で通信します。

通信の最初の部分は、クライアントとサーバー間の接続を確立し、使用する暗号鍵などを決めるだけです。

<img src="/img/deployment/https/https02.svg">

TLS接続を確立するためのクライアントとサーバー間のこのやりとりは、**TLSハンドシェイク**と呼ばれます。

### Go 1.22

Go 1.22 adds a configurable limit to control the maximum acceptable RSA key size
that can be used in TLS handshakes, controlled by the [`tlsmaxrsasize` setting](/pkg/crypto/tls#Conn.Handshake).
The default is tlsmaxrsasize=8192, limiting RSA to 8192-bit keys. To avoid
denial of service attacks, this setting and default was backported to Go
1.19.13, Go 1.20.8, and Go 1.21.1.

    introduced in the 5.0.0-alpha.4 release.
 *  Fix: Don't ask `Dns` implementations to resolve strings that are already IP addresses.
 *  Fix: Change fast fallback to race TCP handshakes only. To avoid wasted work, OkHttp will not
    attempt multiple TLS handshakes for the same call concurrently.
 *  Fix: Don't crash loading the public suffix database in GraalVM native images. The function

                        </Array>
                    </mxGeometry>
                </mxCell>
                <mxCell id="104" value="&lt;span style=&quot;font-family: &amp;#34;roboto&amp;#34; ; font-size: 24px&quot;&gt;TLS Handshake&lt;/span&gt;" style="shape=hexagon;perimeter=hexagonPerimeter2;whiteSpace=wrap;html=1;fixedSize=1;strokeWidth=3;" parent="1" vertex="1">
                    <mxGeometry x="-110" y="300" width="230" height="80" as="geometry"/>

                        </Array>
                    </mxGeometry>
                </mxCell>
                <mxCell id="104" value="&lt;span style=&quot;font-family: &amp;#34;roboto&amp;#34; ; font-size: 24px&quot;&gt;TLS Handshake&lt;/span&gt;" style="shape=hexagon;perimeter=hexagonPerimeter2;whiteSpace=wrap;html=1;fixedSize=1;strokeWidth=3;" vertex="1" parent="1">
                    <mxGeometry x="-110" y="300" width="230" height="80" as="geometry"/>

    val server = MockWebServer()
    server.useHttps(handshakeCertificates.sslSocketFactory(), false)
    ```

    Get these strings with `HeldCertificate.certificatePem()` and `privateKeyPkcs8Pem()`.

 *  Fix: Handshake now returns peer certificates in canonical order: each certificate is signed by
    the certificate that follows and the last certificate is signed by a trusted root.

        .build()
    val request2 = Request.Builder().url(server.url("/")).build()
    val response2 = client.newCall(request2).execute()
    assertThat(response1.handshake).isNotSameAs(
      response2.handshake,
    )
    response2.body.close()
  }

  @Test
  fun unmatchingPinnedCertificate() {
    enableTls()
    server.enqueue(MockResponse())

                                    type: string
                                  sni:
                                    description: SNI string to present to the server
                                      during TLS handshake.
                                    type: string
                                  subjectAltNames:
                                    description: A list of alternate names to verify