tlsVersion = TlsVersion.TLS_1_3,
        cipherSuite = CipherSuite.TLS_AES_128_GCM_SHA256,
        peerCertificates = listOf(serverCertificate.certificate, serverIntermediate.certificate),
        localCertificates = listOf(),
      )

    assertThat(handshake.tlsVersion).isEqualTo(TlsVersion.TLS_1_3)
    assertThat(handshake.cipherSuite).isEqualTo(CipherSuite.TLS_AES_128_GCM_SHA256)

  return Client(
    userAgent = "OkHttp",
    version = OkHttp.VERSION,
    enabled =
      ConnectionSpec.MODERN_TLS.cipherSuites!!.map {
        ianaSuites.fromJavaName(it.javaName)
      },
    supported =
      ConnectionSpec.COMPATIBLE_TLS.cipherSuites!!.map {
        ianaSuites.fromJavaName(it.javaName)
      },
  )
}

fun historicOkHttp(version: String): Client {
  val enabled =

    @JvmName("get")
    fun SSLSession.handshake(): Handshake {
      val cipherSuite =
        when (val cipherSuiteString = checkNotNull(cipherSuite) { "cipherSuite == null" }) {
          "TLS_NULL_WITH_NULL_NULL", "SSL_NULL_WITH_NULL_NULL" -> {
            throw IOException("cipherSuite == $cipherSuiteString")
          }
          else -> CipherSuite.forJavaName(cipherSuiteString)
        }

		unsealConfig = sio.Config{MinVersion: sio.Version20, Key: mac.Sum(nil), CipherSuites: fips.DARECiphers()}
	case InsecureSealAlgorithm:
		sha := sha256.New()
		sha.Write(extKey)
		sha.Write(sealedKey.IV[:])
		unsealConfig = sio.Config{MinVersion: sio.Version10, Key: sha.Sum(nil), CipherSuites: fips.DARECiphers()}
	}

			return nil, errMalformedECHConfig
		}
		var cipherSuites cryptobyte.String
		if !s.ReadUint16LengthPrefixed(&cipherSuites) {
			return nil, errMalformedECHConfig
		}
		for !cipherSuites.Empty() {
			var c echCipher
			if !cipherSuites.ReadUint16(&c.KDFID) {
				return nil, errMalformedECHConfig
			}
			if !cipherSuites.ReadUint16(&c.AEADID) {
				return nil, errMalformedECHConfig
			}

3DES cipher suites were removed from the default list used when
[Config.CipherSuites] is nil. The default can be reverted adding `tls3des=1` to

	keyMaterial = keyMaterial[ivLen:]
	serverIV = keyMaterial[:ivLen]
	return
}

func newFinishedHash(version uint16, cipherSuite *cipherSuite) finishedHash {
	var buffer []byte
	if version >= VersionTLS12 {
		buffer = []byte{}
	}

	prf, hash := prfAndHashForVersion(version, cipherSuite)
	if hash != 0 {
		return finishedHash{hash.New(), hash.New(), nil, nil, buffer, version, prf}
	}

	if dialContext == nil {
		dialContext = DialContextWithLookupHost(s.LookupHost, NewInternodeDialContext(s.DialTimeout, s.TCPOptions))
	}

	tlsClientConfig := tls.Config{
		RootCAs:            s.RootCAs,
		CipherSuites:       s.CipherSuites,
		CurvePreferences:   s.CurvePreferences,
		ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
	}

	// For more details about various values used here refer

			expectedMTLSCipherSuites: SupportedCiphers,
		},
		{
			name: "Configure 1 MTLS cipher suite",
			mesh: meshconfig.MeshConfig{
				MeshMTLS: &meshconfig.MeshConfig_TLSConfig{
					CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
				},
			},
			expectedMTLSCipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
		},
	}
	for i := range tests {
		tt := &tests[i]

"targetPort"
"httpsRedirect"
"serverCertificate"
"privateKey"
"caCertificates"
"credentialName"
"subjectAltNames"
"verifyCertificateSpki"
"verifyCertificateHash"
"minProtocolVersion"
"maxProtocolVersion"
"cipherSuites"
"trafficPolicy"
"subsets"
"exportTo"
"loadBalancer"
"connectionPool"
"outlierDetection"
"portLevelSettings"
"labels"
"http"
"consecutiveGatewayErrors"
"consecutive5xxErrors"
"interval"