if (maxIntermediateCas != -1) {
        result +=
          Extension(
            id = BASIC_CONSTRAINTS,
            critical = true,
            value =
              BasicConstraints(
                ca = true,
                maxIntermediateCas = maxIntermediateCas.toLong(),
              ),
          )
      }

      if (altNames.isNotEmpty()) {
        val extensionValue =
          altNames.map {

      Request.Builder()
        .url(url)
        .header("Accept-Language", "fr-CA")
        .build()
    val response1 = client.newCall(request).execute()
    assertThat(response1.body.string()).isEqualTo("A")
    val request1 =
      Request.Builder()
        .url(url)
        .header("Accept-Language", "fr-CA")
        .build()
    val response2 = client.newCall(request1).execute()

    assertThat(verifier.verify("\u82b1\u5b50.foo.com", session)).isFalse()
    assertThat(verifier.verify("a.b.foo.com", session)).isFalse()
  }

  @Test fun verifyWilcardCnOnTld() {
    // It's the CA's responsibility to not issue broad-matching certificates!
    // CN=*.co.jp
    val session =
      session(
        """
        -----BEGIN CERTIFICATE-----

        .cache(cache)
        .build()

    // Store a response in the cache.
    val url = server.url("/")
    val request1SentAt = System.currentTimeMillis()
    executeSynchronously("/", "Accept-Language", "fr-CA", "Accept-Charset", "UTF-8")
      .assertCode(200)
      .assertBody("A")
    val request1ReceivedAt = System.currentTimeMillis()
    assertThat(server.takeRequest().headers["If-None-Match"]).isNull()

    .build();
```

The TLS versions and cipher suites in each spec can change with each release. For example, in OkHttp 2.2 we dropped support for SSL 3.0 in response to the [POODLE](https://googleonlinesecurity.blogspot.ca/2014/10/this-poodle-bites-exploiting-ssl-30.html) attack. And in OkHttp 2.3 we dropped support for [RC4](https://en.wikipedia.org/wiki/RC4#Security). As with your desktop web browser, staying up-to-date with OkHttp is the best way to stay secure.

   *
   * If [routes] is non-null these are the resolved routes (ie. IP addresses) for the connection.
   * This is used to coalesce related domains to the same HTTP/2 connection, such as `square.com`
   * and `square.ca`.
   */
  fun callAcquirePooledConnection(
    doExtensiveHealthChecks: Boolean,
    address: Address,
    connectionUser: ConnectionUser,
    routes: List<Route>?,
    requireMultiplexed: Boolean,

      }
    }
  }

  /**
   * Not checking the CA bit created a vulnerability in old OkHttp releases. It is exploited by
   * triggering different chains to be discovered by the TLS engine and our chain cleaner. In this
   * attack there's several different chains.
   *
   *
   * The victim's gets a non-CA certificate signed by a CA, and pins the CA root and/or
   * intermediate. This is business as usual.
   *

bykle.no bytom.pl bz bz.it bzh báhcavuotna.no báhccavuotna.no báidár.no bájddar.no bálát.no bådåddjå.no båtsfjord.no bærum.no bø.nordland.no bø.telemark.no bømlo.no c.bg c.cdn77.org c.la c.se c66.me ca ca-central-1.elasticbeanstalk.com ca.eu.org ca.in ca.it ca.na ca.reclaim.cloud ca.us caa.aero caa.li cab cable-modem.org cadaques.museum cafe cafjs.com cagliari.it cahcesuolo.no cal cal.it calabria.it california.museum call caltanissetta.it calvinklein cam cam.it cambridge.museum camdvr.org...

bz
com.bz
net.bz
org.bz
edu.bz
gov.bz

// ca : https://en.wikipedia.org/wiki/.ca
ca
// ca geographical names
ab.ca
bc.ca
mb.ca
nb.ca
nf.ca
nl.ca
ns.ca
nt.ca
nu.ca
on.ca
pe.ca
qc.ca
sk.ca
yk.ca
// gc.ca: https://en.wikipedia.org/wiki/.gc.ca
// see also: http://registry.gc.ca/en/SubdomainFAQ
gc.ca

// cat : https://en.wikipedia.org/wiki/.cat
cat

          ),
        signatureValue =
          BitString(
            byteString = signatureBytes,
            unusedBitsCount = 0,
          ),
      ),
    )
  }

  @Test
  fun `decode CA certificate`() {
    val certificateBase64 =
      """
      |MIIE/zCCA+egAwIBAgIEUdNARDANBgkqhkiG9w0BAQsFADCBsDELMAkGA1UEBhMC
      |VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0