// Most secure but generally supported list.
    private val RESTRICTED_CIPHER_SUITES =
      listOf(
        // TLSv1.3.
        CipherSuite.TLS_AES_128_GCM_SHA256,
        CipherSuite.TLS_AES_256_GCM_SHA384,
        CipherSuite.TLS_CHACHA20_POLY1305_SHA256,
        // TLSv1.0, TLSv1.1, TLSv1.2.
        CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
        CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

      }

      else -> {
        try {
          // Based on SSLSocket.getApplicationProtocol check we should
          // have TLSv1.3 if we request it.
          // See https://www.oracle.com/java/technologies/javase/8u261-relnotes.html
          SSLContext.getInstance("TLSv1.3")
        } catch (nsae: NoSuchAlgorithmException) {
          SSLContext.getInstance("TLS")
        }
      }
    }

  companion object {

    org.openjsse.net.ssl
      .OpenJSSE()

  // Selects TLSv1.3 so we are specific about our intended version ranges (not just 1.3)
  // and because it's a common pattern for VMs to have differences between supported and
  // defaulted versions for TLS based on what is requested.
  override fun newSSLContext(): SSLContext = SSLContext.getInstance("TLSv1.3", provider)

  override fun platformTrustManager(): X509TrustManager {

# Side Public License, v 1.
#

# forcing to use TLS1.2 to avoid failure in vault
# see https://github.com/hashicorp/vault/issues/8750#issuecomment-631236121
systemProp.jdk.tls.client.protocols=TLSv1.2

# java homes resolved by environment variables

    client.newCall(request).execute().use {
      assertThat(it.protocol).isEqualTo(Protocol.HTTP_2)
      if (it.handshake!!.tlsVersion != TlsVersion.TLS_1_3) {
        System.err.println("Flaky TLSv1.3 with google")
//    assertThat(it.handshake()!!.tlsVersion).isEqualTo(TlsVersion.TLS_1_3)
      }
    }
  }

  @Test
  fun testIfSupported() {
    assertThat(PlatformRule.isCorrettoSupported).isTrue()

  private val provider: Provider = Conscrypt.newProvider()

  // See release notes https://groups.google.com/forum/#!forum/conscrypt
  // for version differences
  override fun newSSLContext(): SSLContext =
    // supports TLSv1.3 by default (version api is >= 1.4.0)
    SSLContext.getInstance("TLS", provider)

  override fun platformTrustManager(): X509TrustManager {
    val trustManagers =
      TrustManagerFactory

    client.newCall(request).execute().use {
      assertThat(it.protocol).isEqualTo(Protocol.HTTP_2)
      if (it.handshake!!.tlsVersion != TlsVersion.TLS_1_3) {
        System.err.println("Flaky TLSv1.3 with google")
//    assertThat(it.handshake()!!.tlsVersion).isEqualTo(TlsVersion.TLS_1_3)
      }
    }
  }

  @Test
  fun testBuildIfSupported() {
    val actual = ConscryptPlatform.buildIfSupported()

    header. This means OkHttp's cache shouldn't be used on middleboxes that sit
    between user agents and the origin server.

 *  **TLS configuration updated.** OkHttp now explicitly enables TLSv1.2,
    TLSv1.1 and TLSv1.0 where they are supported. It will continue to perform
    only one fallback, to SSLv3. Applications can now configure this with the
    `ConnectionSpec` class.

    To disable TLS fallback:

### 1. Fetch the root identity

As the initial step, fetch the private key and certificate of the root identity:

```sh
curl -sSL --tlsv1.2 \
     -O 'https://raw.githubusercontent.com/minio/kes/master/root.key' \
     -O 'https://raw.githubusercontent.com/minio/kes/master/root.cert'
```

### 2. Set the MinIO-KES configuration

```sh

    val handshake = makeRequest(client)

    assertThat(handshake.cipherSuite).isIn(*expectedModernTls13CipherSuites.toTypedArray())

    // TODO: filter down to TLSv1.3 when only activated.
    // Probably something like
    // TLS_AES_128_GCM_SHA256
    // TLS_AES_256_GCM_SHA384
    // TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    // TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256