Security Providers
==================

## Provider Status

| Provider         | HTTP/2  | TLSv1.3      | Powered By      | Notes                                                        |
| :--------------- | :------ | :----------- | :-------------- | :----------------------------------------------------------- |
| JVM default      | Java 9+ | Java 11+     | [OpenJDK]       |                                                              |

        SSLContext.getInstance("TLS")
      else ->
        try {
          // Based on SSLSocket.getApplicationProtocol check we should
          // have TLSv1.3 if we request it.
          // See https://www.oracle.com/java/technologies/javase/8u261-relnotes.html
          SSLContext.getInstance("TLSv1.3")
        } catch (nsae: NoSuchAlgorithmException) {
          SSLContext.getInstance("TLS")
        }
    }
  }

  companion object {

    client.newCall(request).execute().use {
      assertThat(it.protocol).isEqualTo(Protocol.HTTP_2)
      if (it.handshake!!.tlsVersion != TlsVersion.TLS_1_3) {
        System.err.println("Flaky TLSv1.3 with google")
//    assertThat(it.handshake()!!.tlsVersion).isEqualTo(TlsVersion.TLS_1_3)
      }
    }
  }

  @Test
  fun testIfSupported() {
    assertThat(PlatformRule.isCorrettoSupported).isTrue()

    client.newCall(request).execute().use {
      assertThat(it.protocol).isEqualTo(Protocol.HTTP_2)
      if (it.handshake!!.tlsVersion != TlsVersion.TLS_1_3) {
        System.err.println("Flaky TLSv1.3 with google")
//    assertThat(it.handshake()!!.tlsVersion).isEqualTo(TlsVersion.TLS_1_3)
      }
    }
  }

  @Test
  fun testBuildIfSupported() {
    val actual = ConscryptPlatform.buildIfSupported()

    commitment was originally through December 31, 2020; we have since extended it.)

 *  **TLSv1 and TLSv1.1 are no longer enabled by default.** Major web browsers are working towards
    removing these versions altogether in early 2020. If your servers aren't ready yet you can
    configure OkHttp 3.13 to allow TLSv1 and TLSv1.1 connections:

    ```
    OkHttpClient client = new OkHttpClient.Builder()

    header. This means OkHttp's cache shouldn't be used on middleboxes that sit
    between user agents and the origin server.

 *  **TLS configuration updated.** OkHttp now explicitly enables TLSv1.2,
    TLSv1.1 and TLSv1.0 where they are supported. It will continue to perform
    only one fallback, to SSLv3. Applications can now configure this with the
    `ConnectionSpec` class.

    To disable TLS fallback:

  private val provider: Provider = Conscrypt.newProvider()

  // See release notes https://groups.google.com/forum/#!forum/conscrypt
  // for version differences
  override fun newSSLContext(): SSLContext =
    // supports TLSv1.3 by default (version api is >= 1.4.0)
    SSLContext.getInstance("TLS", provider)

  override fun platformTrustManager(): X509TrustManager {
    val trustManagers =

	return target.initOnce.Do(target.initNSQ)
}

func (target *NSQTarget) initNSQ() error {
	args := target.args

	config := nsq.NewConfig()
	if args.TLS.Enable {
		config.TlsV1 = true
		config.TlsConfig = &tls.Config{
			InsecureSkipVerify: args.TLS.SkipVerify,
		}
	}
	target.config = config

	producer, err := nsq.NewProducer(args.NSQDAddress.String(), config)
	if err != nil {

    val handshake = makeRequest(client)

    assertThat(handshake.cipherSuite).isIn(*expectedModernTls13CipherSuites.toTypedArray())

    // TODO: filter down to TLSv1.3 when only activated.
    // Probably something like
    // TLS_AES_128_GCM_SHA256
    // TLS_AES_256_GCM_SHA384
    // TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    // TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

### 1. Fetch the root identity

As the initial step, fetch the private key and certificate of the root identity:

```sh
curl -sSL --tlsv1.2 \
     -O 'https://raw.githubusercontent.com/minio/kes/master/root.key' \
     -O 'https://raw.githubusercontent.com/minio/kes/master/root.cert'
```

### 2. Set the MinIO-KES configuration

```sh