"plan 0 cancel",
      "plan 1 TLS connecting...",
      "plan 1 TLS connected",
      "plan 2 TCP connecting...",
    )

    taskFaker.advanceUntil(270.ms)
    assertEvents(
      "plan 0 TCP connect canceled",
    )

    taskFaker.advanceUntil(280.ms)
    assertEvents(
      "plan 2 TCP connected",
      "plan 2 TLS connecting...",
      "plan 2 TLS connected",
    )

pkg context, var DeadlineExceeded error
pkg crypto/tls, const RenegotiateFreelyAsClient = 2
pkg crypto/tls, const RenegotiateFreelyAsClient RenegotiationSupport
pkg crypto/tls, const RenegotiateNever = 0
pkg crypto/tls, const RenegotiateNever RenegotiationSupport
pkg crypto/tls, const RenegotiateOnceAsClient = 1
pkg crypto/tls, const RenegotiateOnceAsClient RenegotiationSupport
pkg crypto/tls, type Config struct, DynamicRecordSizingDisabled bool

mountPath: {{ $casPath }} {{- end }} {{- end -}} {{/* Formats volume for MinIO TLS keys and trusted certs */}} {{- define "minio.tlsKeysVolume" -}} {{- if .Values.tls.enabled }} - name: cert-secret-volume secret: secretName: {{ .Values.tls.certSecret }} items: - key: {{ .Values.tls.publicCrt }} path: public.crt - key: {{ .Values.tls.privateKey }} path: private.key {{- end }} {{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }} {{- $certSecret := eq .Values.trustedCertsSecret "" | ternary ...

any effect.

Go 1.23 changed the default TLS cipher suites used by clients and servers when
not explicitly configured, removing 3DES cipher suites. The default can be reverted
using the [`tls3des` setting](/pkg/crypto/tls/#Config.CipherSuites).
This setting will be removed in Go 1.27.

Go 1.23 changed the behavior of [`tls.X509KeyPair`](/pkg/crypto/tls#X509KeyPair)
and [`tls.LoadX509KeyPair`](/pkg/crypto/tls#LoadX509KeyPair) to populate the

	tlsConfig, err := saramatls.NewConfig(h.kconfig.TLS.ClientTLSCert, h.kconfig.TLS.ClientTLSKey)
	if err != nil {
		return err
	}

	sconfig.Net.TLS.Enable = h.kconfig.TLS.Enable
	sconfig.Net.TLS.Config = tlsConfig
	sconfig.Net.TLS.Config.InsecureSkipVerify = h.kconfig.TLS.SkipVerify
	sconfig.Net.TLS.Config.ClientAuth = h.kconfig.TLS.ClientAuth
	sconfig.Net.TLS.Config.RootCAs = h.kconfig.TLS.RootCAs

  {{- end }}
spec:
  endpoints:
    {{- if .Values.tls.enabled }}
    - port: https
      scheme: https
      tlsConfig:
        ca:
          secret:
            name: {{ .Values.tls.certSecret }}
            key: {{ .Values.tls.publicCrt }}
        serverName: {{ template "minio.fullname" . }}
    {{- else }}
    - port: http
      scheme: http

		}

		kafkaArgs.TLS.Enable = getCfgVal(EnvKafkaTLS, k, kv.Get(KafkaTLS)) == config.EnableOn
		kafkaArgs.TLS.SkipVerify = getCfgVal(EnvKafkaTLSSkipVerify, k, kv.Get(KafkaTLSSkipVerify)) == config.EnableOn
		kafkaArgs.TLS.ClientAuth = tls.ClientAuthType(clientAuth)

		kafkaArgs.TLS.ClientTLSCert = getCfgVal(EnvKafkaClientTLSCert, k, kv.Get(KafkaClientTLSCert))

a connection to an HTTPS server, OkHttp needs to know which [TLS versions](https://square.github.io/okhttp/4.x/okhttp/okhttp3/-tls-version/) and [cipher suites](https://square.github.io/okhttp/4.x/okhttp/okhttp3/-cipher-suite/) to offer. A client that wants to maximize connectivity would include obsolete TLS versions and weak-by-design cipher suites. A strict client that wants to maximize security would be limited to only the latest TLS version and strongest cipher suites.

Specific security...

			if err != nil {
				return nil, err
			}
		}

		client, err := kms.NewClient(&kms.Config{
			Endpoints: endpoints,
			APIKey:    key,
			TLS: &tls.Config{
				MinVersion:         tls.VersionTLS12,
				ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
				RootCAs:            rootCAs,
			},
		})
		if err != nil {
			return nil, err
		}

		return &KMS{

	"fmt"
	"io"
	"log"
	"net/http"
	"strings"
)

var (
	keyFile  string
	certFile string
)

func init() {
	flag.StringVar(&keyFile, "key-file", "", "Path to TLS cert key file")
	flag.StringVar(&certFile, "cert-file", "", "Path to TLS cert file")
}

func writeErrorResponse(w http.ResponseWriter, err error) {
	w.WriteHeader(http.StatusBadRequest)
	json.NewEncoder(w).Encode(map[string]string{