import okhttp3.mockwebserver.PushPromise
import okhttp3.mockwebserver.QueueDispatcher
import okhttp3.mockwebserver.RecordedRequest
import okhttp3.mockwebserver.SocketPolicy
import okhttp3.tls.HandshakeCertificates
import okhttp3.tls.HeldCertificate
import okhttp3.tls.internal.TlsUtil.localhost
import okio.Buffer
import okio.BufferedSink
import okio.BufferedSource
import okio.ByteString
import okio.Timeout
import org.junit.jupiter.api.AfterEach

```
--sftp="address=:3022"
```

### TLS (FTP)

Unlike SFTP server, FTP server is insecure by default. To operate under TLS mode, you need to provide certificates via

```
--ftp="tls-private-key=path/to/private.key" --ftp="tls-public-cert=path/to/public.crt"
```

> NOTE: if MinIO distributed setup is already configured to run under TLS, FTP will automatically use the relevant

    return suites.firstOrNull {
      it.name == javaName || it.name == "TLS_${javaName.drop(4)}"
    } ?: throw IllegalArgumentException("No such suite: $javaName")
  }
}

suspend fun fetchIanaSuites(okHttpClient: OkHttpClient): IanaSuites {
  val url = "https://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv"

  val call = okHttpClient.newCall(Request(url.toHttpUrl()))

  val suites =

  return Client(
    userAgent = "OkHttp",
    version = OkHttp.VERSION,
    enabled =
      ConnectionSpec.MODERN_TLS.cipherSuites!!.map {
        ianaSuites.fromJavaName(it.javaName)
      },
    supported =
      ConnectionSpec.COMPATIBLE_TLS.cipherSuites!!.map {
        ianaSuites.fromJavaName(it.javaName)
      },
  )
}

fun historicOkHttp(version: String): Client {
  val enabled =

This setting will be removed in a future release, Go 1.24 at the earliest.

Go 1.22 changed the default minimum TLS version supported by both servers
and clients to TLS 1.2. The default can be reverted to TLS 1.0 using the
[`tls10server` setting](/pkg/crypto/tls/#Config).

Go 1.22 changed the default TLS cipher suites used by clients and servers when
not explicitly configured, removing the cipher suites which used RSA based key

   * requests on the same socket, and server-push. HTTP/1.1 semantics are layered on HTTP/2.
   *
   * HTTP/2 requires deployments of HTTP/2 that use TLS 1.2 support
   * [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256], present in Java 8+ and Android 5+.
   * Servers that enforce this may send an exception message including the string
   * `INADEQUATE_SECURITY`.
   */
  HTTP_2("h2"),

  optional int32 expirationSeconds = 8;

  // usages specifies a set of key usages requested in the issued certificate.
  //
  // Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".
  //
  // Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth".
  //
  // Valid values are:

import okhttp3.internal.connection.RouteDatabase
import okhttp3.internal.connection.RoutePlanner
import okhttp3.internal.http.RealInterceptorChain
import okhttp3.internal.http.RecordingProxySelector
import okhttp3.tls.HandshakeCertificates
import okhttp3.tls.internal.TlsUtil.localhost

/**
 * OkHttp is usually tested with functional tests: these use public APIs to confirm behavior against

  // +optional
  optional IngressBackend backend = 1;

  // tls represents the TLS configuration. Currently the Ingress only supports a
  // single TLS port, 443. If multiple members of this list specify different hosts,
  // they will be multiplexed on the same port according to the hostname specified
  // through the SNI TLS extension, if the ingress controller fulfilling the
  // ingress supports SNI.
  // +optional

          return tunnelResult
        }
      }

      if (route.address.sslSocketFactory != null) {
        // Assume the server won't send a TLS ServerHello until we send a TLS ClientHello. If
        // that happens, then we will have buffered bytes that are needed by the SSLSocket!
        // This check is imperfect: it doesn't tell us whether a handshake will succeed, just