}
      delegate!!.enabledCipherSuites = enabledCipherSuites.toTypedArray<String>()
    }
  }

  companion object {
    /**
     * The cipher suite used during TLS connection fallback to indicate a fallback. See
     * https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
     */
    const val TLS_FALLBACK_SCSV = "TLS_FALLBACK_SCSV"
  }

import okhttp3.Call;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.mockwebserver.MockResponse;
import okhttp3.mockwebserver.MockWebServer;
import okhttp3.tls.HandshakeCertificates;
import okhttp3.tls.HeldCertificate;

/**
 * Create an HTTPS server with a self-signed certificate that OkHttp trusts.
 */
public class HttpsServer {
  public void run() throws Exception {

// See the License for the specific language governing permissions and
// limitations under the License.

package xds

// xds uses ADSC to call XDS

import (
	"context"
	"crypto/tls"
	"fmt"
	"strings"

	discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"

	"istio.io/istio/istioctl/pkg/clioptions"

	peerCertificates := make([]*x509.Certificate, 0, len(r.TLS.PeerCertificates))
	for _, cert := range r.TLS.PeerCertificates {
		if cert.IsCA {
			continue
		}
		peerCertificates = append(peerCertificates, cert)
	}
	r.TLS.PeerCertificates = peerCertificates

	// Now, we have to check that the client has provided exactly one leaf
	// certificate that we can map to a policy.
	if len(r.TLS.PeerCertificates) == 0 {

 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package okhttp3

/**
 * Versions of TLS that can be offered when negotiating a secure socket. See
 * [javax.net.ssl.SSLSocket.setEnabledProtocols].
 */
enum class TlsVersion(
  @get:JvmName("javaName") val javaName: String,
) {
  TLS_1_3("TLSv1.3"), // 2016.

	if err != nil {
		return nil, fmt.Errorf("failed to get application default credentials: %w", err)
	}

	return []grpc.DialOption{
		grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
			RootCAs:    systemRoots,
			MinVersion: tls.VersionTLS12,
		})),
		grpc.WithPerRPCCredentials(&meshAuthCredentials{
			k8sCreds: k8sCreds,
			gcpCreds: gcpCreds,
			project:  gcpProject,
		}),
	}, nil

    when {
      matchesSocket(sslSocket) -> Conscrypt.getApplicationProtocol(sslSocket)
      else -> null // No TLS extensions if the socket class is custom.
    }

  override fun configureTlsExtensions(
    sslSocket: SSLSocket,
    hostname: String?,
    protocols: List<Protocol>,
  ) {
    // No TLS extensions if the socket class is custom.
    if (matchesSocket(sslSocket)) {
      // Enable session tickets.

) {
  val method: String?
  val path: String?

  /**
   * The TLS handshake of the connection that carried this request, or null if the request was
   * received without TLS.
   */
  val handshake: Handshake?
  val requestUrl: HttpUrl?

  /**
   * Returns the name of the server the client requested via the SNI (Server Name Indication)
   * attribute in the TLS handshake. Unlike the rest of the HTTP exchange, this name is sent in

port: 14226
net: localhost

tls {
    cert_file:  "./testdata/contrib/certs/nats_server_cert.pem"
    key_file:   "./testdata/contrib/certs/nats_server_key.pem"
    ca_file:   "./testdata/contrib/certs/root_ca_cert.pem"
    verify_and_map: true
}
authorization {
    ADMIN = {
        publish = ">"
        subscribe = ">"
    }
    users = [
        {user: "CN=localhost,OU=Client,O=MinIO,C=CA", permissions: $ADMIN}
    ]

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package okhttp3.internal.tls

import java.security.GeneralSecurityException
import java.security.cert.Certificate
import java.security.cert.X509Certificate
import java.util.ArrayDeque
import java.util.Deque