of the sort.

  Next came an angry voice--the Rabbit's--`Pat! Pat!  Where are
you?'  And then a voice she had never heard before, `Sure then
I'm here!  Digging for apples, yer honour!'

  `Digging for apples, indeed!' said the Rabbit angrily.  `Here!
Come and help me out of THIS!'  (Sounds of more broken glass.)

  `Now tell me, Pat, what's that in the window?'

first connect fails. This is necessary for IPv4+IPv6 and services hosted in redundant data
centers. OkHttp supports modern TLS features (TLS 1.3, ALPN, certificate pinning). It can be
configured to fall back for broad connectivity.

Using OkHttp is easy. Its request/response API is designed with fluent builders and immutability. It

      // do not retry.
      if (e.cause is CertificateException) {
        return false
      }
    }
    if (e is SSLPeerUnverifiedException) {
      // e.g. a certificate pinning error.
      return false
    }
    // An example of one we might want to retry with a different route is a problem connecting to a

    // 3. This connection's server certificates must cover the new host.
    if (address.hostnameVerifier !== OkHostnameVerifier) return false
    if (!supportsUrl(address.url)) return false

    // 4. Certificate pinning must match the host.
    try {
      address.certificatePinner!!.check(address.url.host, handshake()!!.peerCertificates)
    } catch (_: SSLPeerUnverifiedException) {
      return false
    }

  /**
   * The HTTP <a href="http://tools.ietf.org/html/draft-evans-palmer-key-pinning">{@code
   * Public-Key-Pins}</a> header field name.
   *
   * @since 15.0
   */
  public static final String PUBLIC_KEY_PINS = "Public-Key-Pins";

  /**
   * The HTTP <a href="http://tools.ietf.org/html/draft-evans-palmer-key-pinning">{@code
   * Public-Key-Pins-Report-Only}</a> header field name.
   *
   * @since 15.0

 *  Fix: `CertificatePinner` now matches canonicalized hostnames. Previously
    this was case sensitive. This change should also make it easier to configure
    certificate pinning for internationalized domain names.
 *  Fix: Don’t crash on non-ASCII `ETag` headers. Previously OkHttp would reject
    these headers when validating a cached response.

    // Fails on 11.0.1 https://github.com/square/okhttp/issues/4703
    enableTls()
    server.enqueue(MockResponse())
    server.enqueue(MockResponse())

    // Make a first request without certificate pinning. Use it to collect certificates to pin.
    val request1 = Request.Builder().url(server.url("/")).build()
    val response1 = client.newCall(request1).execute()
    val certificatePinnerBuilder = CertificatePinner.Builder()

(errn uint64) TEXT ·kdsa(SB), NOSPLIT|NOFRAME, $0-24 MOVD fc+0(FP), R0 // function code MOVD params+8(FP), R1 // address parameter block loop: KDSA R0, R4 // compute digital signature authentication BVS loop // branch back if interrupted BGT retry // signing unsuccessful, but retry with new CSPRN BLT error // condition code of 1 indicates a failure success: MOVD $0, errn+16(FP) // return 0 - sign/verify was successful RET error: MOVD $1, errn+16(FP) // return 1 - sign/verify failed RET retry: MOVD $2,...

    /**
     * Sets the certificate pinner that constrains which certificates are trusted. By default HTTPS
     * connections rely on only the [SSL socket factory][sslSocketFactory] to establish trust.
     * Pinning certificates avoids the need to trust certificate authorities.
     */
    fun certificatePinner(certificatePinner: CertificatePinner) =
      apply {
        if (certificatePinner != this.certificatePinner) {

(errn uint64) TEXT ·kdsa(SB), NOSPLIT|NOFRAME, $0-24 MOVD fc+0(FP), R0 // function code MOVD params+8(FP), R1 // address parameter block loop: KDSA R0, R4 // compute digital signature authentication BVS loop // branch back if interrupted BGT retry // signing unsuccessful, but retry with new CSPRN BLT error // condition code of 1 indicates a failure success: MOVD $0, errn+16(FP) // return 0 - sign/verify was successful RET error: MOVD $1, errn+16(FP) // return 1 - sign/verify failed RET retry: MOVD $2,...