- Kubeadm: warn but do not error out on missing "ca.key" files for root CA, front-proxy CA and etcd CA, during "kubeadm join --control-plane" if the user has provided all certificates, keys and kubeconfig files which require signing with the given CA keys. ([#94988](https://github.com/kubernetes/kubernetes/pull/94988), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]

### Other (Cleanup or Flake)

    // If the problem was a CertificateException from the X509TrustManager, do not retry.
    e is SSLHandshakeException && e.cause is CertificateException -> false

    // e.g. a certificate pinning error.
    e is SSLPeerUnverifiedException -> false

    // Retry for all other SSL failures.
    e is SSLException -> true

    else -> false

 * certificate.
 *
 * Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to
 * the TLS handshake and to extract the trusted CA certificate for the benefit of certificate
 * pinning.
 */
abstract class CertificateChainCleaner {
  @Throws(SSLPeerUnverifiedException::class)
  abstract fun clean(
    chain: List<Certificate>,
    hostname: String,
  ): List<Certificate>

  companion object {

import org.codelibs.fess.opensearch.client.SearchEngineClient;
import org.codelibs.fess.util.ComponentUtil;
import org.dbflute.mail.send.hook.SMailCallbackContext;
import org.lastaflute.core.mail.Postbox;

/**
 * Job for pinging search engine.
 */
public class PingSearchEngineJob {

    /**
     * Default constructor.
     */
    public PingSearchEngineJob() {
        // Default constructor
    }

    * ServicenameDelimiter string Delimiter to use to separate servicename from its configuration parameters Defaults "|"
    * OverrideSeparator string Delimiter to use to separate region of occurrence, url and signing region for each override Defaults to ","
    * ServiceOverrides string example: s3|region1, https://s3.foo.bar, some signing_region & ec2|region2, https://ec2.foo.bar, signing_region

      <groupId>com.squareup.okio</groupId>
      <artifactId>okio</artifactId>
      <version>1.0.1</version>
    </dependency>
    ```

 *  **New APIs to permit easy certificate pinning.** Be warned, certificate
    pinning is dangerous and could prevent your application from trusting your
    server!

 *  **Cache improvements.** This release fixes some severe cache problems

    )
    server.enqueue(MockResponse())
    assertFailsWith<SSLPeerUnverifiedException> {
      val response = execute(url)
      response.close()
    }
  }

  /** Can still coalesce when pinning is used if pins match.  */
  @Test
  fun coalescesWhenCertificatePinsMatch() {
    val pinner =
      CertificatePinner
        .Builder()
        .add("san.com", pin(certificate.certificate))
        .build()

     * If the host platform is compromised or misconfigured this may contain untrustworthy root
     * certificates. Applications that connect to a known set of servers may be able to mitigate
     * this problem with [certificate pinning][CertificatePinner].
     */
    fun addPlatformTrustedCertificates() =
      apply {
        val platformTrustManager = Platform.get().platformTrustManager()

 * Don't start a new attempt until 250 ms after the most recent attempt was started.
 * Keep whichever TCP connection succeeds first and cancel all the others.
 * Race TCP only. Only attempt a TLS handshake on the winning TCP connection.

* Removed alpha functionality that allowed the controller manager to approve kubelet server certificates. This functionality should be replaced by automating validation and approval of node server certificate signing requests. ([#62471](https://github.com/kubernetes/kubernetes/pull/62471), [@mikedanese](https://github.com/mikedanese))

#### Graduated to Stable/GA