private val sslExcludeFilter =
    Regex(
      buildString {
        append("^(?:")
        append(
          listOf(
            "Inaccessible trust store",
            "trustStore is",
            "Reload the trust store",
            "Reload trust certs",
            "Reloaded",
            "adding as trusted certificates",
            "Ignore disabled cipher suite",
            "Ignore unsupported cipher suite",

    level: Int,
    t: Throwable?,
  ) {
    if (level == WARN) {
      Log.w(Tag, message, t)
    } else {
      Log.i(Tag, message, t)
    }
  }

  /**
   * A trust manager for Android applications that customize the trust manager.
   *
   * This class exploits knowledge of Android implementation details. This class is potentially

 *
 * Supported on OpenJDK 8 via the JettyALPN-boot library or Conscrypt.
 *
 * Supported on OpenJDK 9+ via SSLParameters and SSLSocket features.
 *
 * ### Trust Manager Extraction
 *
 * Supported on Android 2.3+ and OpenJDK 7+. There are no public APIs to recover the trust
 * manager that was used to create an [SSLSocketFactory].
 *
 * Not supported by choice on JDK9+ due to access checks.
 *
 * ### Android Cleartext Permit Detection

Nevertheless, as the **application server** doesn't know it is behind a trusted **proxy**, by default, it wouldn't trust those headers.

But you can configure the **application server** to trust the *forwarded* headers sent by the **proxy**. If you are using FastAPI CLI, you can use the *CLI Option* `--forwarded-allow-ips` to tell it from which IPs it should trust those *forwarded* headers.

      )
    factory.init(null as KeyStore?)
    val trustManagers = factory.trustManagers!!
    check(trustManagers.size == 1 && trustManagers[0] is X509TrustManager) {
      "Unexpected default trust managers: ${trustManagers.contentToString()}"
    }
    return trustManagers[0] as X509TrustManager
  }

  override fun trustManager(sslSocketFactory: SSLSocketFactory): X509TrustManager =

    had a crash `IllegalArgumentException: Not a Conscrypt trust manager` because we depended on
    initialization order of companion objects.


## Version 4.7.1

_2020-05-18_

 *  Fix: Pass the right arguments in the trust manager created for `addInsecureHost()`. Without the
    fix insecure hosts crash with an `IllegalArgumentException` on Android.

    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(null, new TrustManager[] { trustManager }, null);

    return sslContext.getSocketFactory();
  }

  /** Returns a trust manager that trusts the VM's default certificate authorities. */
  private X509TrustManager defaultTrustManager() throws GeneralSecurityException {
    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(

  /**
   * Returns a cleaned chain for [chain].
   *
   * This method throws if the complete chain to a trusted CA certificate cannot be constructed.
   * This is unexpected unless the trust root index in this class has a different trust manager than
   * what was used to establish [chain].
   */
  @Throws(SSLPeerUnverifiedException::class)
  override fun clean(
    chain: List<Certificate>,
    hostname: String,

sasl             (on|off)    set to 'on' to enable SASL authentication
tls              (on|off)    set to 'on' to enable TLS
tls_skip_verify  (on|off)    trust server TLS without verification, defaults to "on" (verify)
client_tls_cert  (path)      path to client certificate for mTLS auth
client_tls_key   (path)      path to client key for mTLS auth

    public static final int ACB_MNS = 32;
    /** Account control bit flag: Interdomain trust account */
    public static final int ACB_DOMTRUST = 64;
    /** Account control bit flag: Workstation trust account */
    public static final int ACB_WSTRUST = 128;
    /** Account control bit flag: Server trust account */
    public static final int ACB_SVRTRUST = 256;
    /** Account control bit flag: Password does not expire */