*/
  open fun configureTlsExtensions(
    sslSocket: SSLSocket,
    hostname: String?,
    protocols: List<@JvmSuppressWildcards Protocol>,
  ) {
  }

  /** Called after the TLS handshake to release resources allocated by [configureTlsExtensions]. */
  open fun afterHandshake(sslSocket: SSLSocket) {
  }

  /** Returns the negotiated protocol, or null if no protocol was negotiated. */

```
export MINIO_KMS_KES_KEY_PASSWORD=<your-password>
```

Note that MinIO only supports encrypted private keys - not encrypted certificates.
Certificates are no secrets and sent in plaintext as part of the TLS handshake.

## Explore Further

- [Use `mc` with MinIO Server](https://docs.min.io/community/minio-object-store/reference/minio-mc.html)

### Go 1.22

Go 1.22 adds a configurable limit to control the maximum acceptable RSA key size
that can be used in TLS handshakes, controlled by the [`tlsmaxrsasize` setting](/pkg/crypto/tls#Conn.Handshake).
The default is tlsmaxrsasize=8192, limiting RSA to 8192-bit keys. To avoid
denial of service attacks, this setting and default was backported to Go
1.19.13, Go 1.20.8, and Go 1.21.1.

     *
     * @return the dialectIndex
     */
    public int getDialectIndex() {
        return this.dialectIndex;
    }

    /**
     * Returns the server capabilities negotiated during the SMB handshake.
     *
     * @return the negotiated capabilities
     */
    public int getNegotiatedCapabilities() {
        return this.capabilities;
    }

    /**
     * Gets the negotiated send buffer size.

    @Test
    void testService_NtlmAuth_Failure() throws Exception {
        ntlmServlet.init(servletConfig);
        setupMocksForAuth();

        // Return null from NtlmSsp.authenticate to simulate initial NTLM handshake
        try (MockedStatic<NtlmSsp> ntlmSspMock = Mockito.mockStatic(NtlmSsp.class)) {
            ntlmSspMock.when(() -> NtlmSsp.authenticate(any(), any(), any(), any())).thenReturn(null);

	public final fun getBody ()Lokio/Buffer;
	public final fun getBodySize ()J
	public final fun getChunkSizes ()Ljava/util/List;
	public final fun getFailure ()Ljava/io/IOException;
	public final fun getHandshake ()Lokhttp3/Handshake;
	public final fun getHeader (Ljava/lang/String;)Ljava/lang/String;
	public final fun getHeaders ()Lokhttp3/Headers;
	public final fun getMethod ()Ljava/lang/String;
	public final fun getPath ()Ljava/lang/String;

) {
  /**
   * Confirms that at least one of the certificates pinned for `hostname` is in `peerCertificates`.
   * Does nothing if there are no certificates pinned for `hostname`. OkHttp calls this after a
   * successful TLS handshake, but before the connection is used.
   *
   * @throws SSLPeerUnverifiedException if `peerCertificates` don't match the certificates pinned
   *     for `hostname`.
   */
  @Throws(SSLPeerUnverifiedException::class)

    public fun trailers(trailers: Headers): Builder =
      apply {
        this.trailers_ = trailers.newBuilder()
      }

    /** Don't trust the client during the SSL handshake. */
    public fun failHandshake(): Builder =
      apply {
        failHandshake = true
      }

    /** Trigger [socketEffect] before the request headers are read. */

    /**
     * Attempts to obtain login credentials using SPNEGO authentication.
     *
     * This method processes the HTTP request to extract and validate SPNEGO
     * authentication tokens. It handles the SPNEGO handshake process and
     * extracts the user principal from successful authentication.
     *
     * @return The login credential containing the authenticated username,

<img src="/img/deployment/https/https01.drawio.svg">

### Начало TLS-рукопожатия { #tls-handshake-start }

Далее браузер будет общаться с этим IP‑адресом на **порту 443** (порт HTTPS).

Первая часть взаимодействия — установить соединение между клиентом и сервером и договориться о криптографических ключах и т.п.