*
 * The best way to improve the cache hit rate is by configuring the web server to return cacheable
 * responses. Although this client honors all [HTTP/1.1 (RFC 7234)][rfc_7234] cache headers, it
 * doesn't cache partial responses.
 *
 * ## Force a Network Response
 *
 * In some situations, such as after a user clicks a 'refresh' button, it may be necessary to skip

```

If you set an empty lookup bind password, the lookup bind will use the unauthenticated authentication mechanism, as described in [RFC 4513 Section 5.1.2](https://tools.ietf.org/html/rfc4513#section-5.1.2).

### User lookup

        + ", format="
        + key.getFormat()
        + "])";
  }

  /**
   * Returns a hash function implementing the CRC32C checksum algorithm (32 hash bits) as described
   * by RFC 3720, Section 12.1.
   *
   * <p>This function is best understood as a <a
   * href="https://en.wikipedia.org/wiki/Checksum">checksum</a> rather than a true <a

 * is similar policy for all of the 1.1 million Unicode code points. Note that some code points such
 * as "\ud83c\udf69" are not mapped and cannot be used in a hostname.
 *
 * [Punycode](http://ietf.org/rfc/rfc3492.txt) converts a Unicode string to an ASCII string to make
 * international domain names work everywhere. For example, "σ" encodes as "xn--4xa". The encoded

    change][remove_cbc_ecdsa] to remove these cipher suites because they are
    fragile and rarely-used.
 *  New: Don't fall back to common name (CN) verification for hostnames. This
    behavior was deprecated with RFC 2818 in May 2000 and was recently dropped
    from major web browsers.
 *  New: Honor the `Retry-After` response header. HTTP 503 (Unavailable)
    responses are retried automatically if this header is present and its delay

limits. The default value `updatemaxprocs=1` will enable periodic updates.
`updatemaxprocs=0` will disable periodic updates.

Go 1.25 disabled SHA-1 signature algorithms in TLS 1.2 according to RFC 9155.
The default can be reverted using the `tlssha1=1` setting.

Go 1.25 switched to SHA-256 to fill in missing SubjectKeyId in
crypto/x509.CreateCertificate. The setting `x509sha256skid=0` reverts to SHA-1.

     * @return the escaped filter string safe for use in LDAP queries (empty string if filter is null)
     * @see <a href="https://tools.ietf.org/html/rfc4515">RFC 4515 - LDAP String Representation of Search Filters</a>
     * @deprecated Use {@link LdapUtil#escapeValue(String)} instead
     */
    @Deprecated
    protected String escapeLDAPSearchFilter(final String filter) {

    /**
     * Configure this client to perform fast fallbacks by attempting multiple connections
     * concurrently, returning once any connection connects successfully.
     *
     * This implements Happy Eyeballs ([RFC 6555][rfc_6555]), balancing connect latency vs.
     * wasted resources.
     *
     * Defaults to enabled, call with [fastFallback] = false to revert to 4.x behaviour.
     *

newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize) if err != nil { return nil, err } return &GCMWithCounterNonce{g: *g}, nil } // NewGCMForTLS12 returns a new AEAD that works like GCM, but enforces the // construction of nonces as specified in RFC 5288, Section 3 and RFC 9325, // Section 7.2.1. // // This complies with FIPS 140-3 IG C.H Scenario 1.a. func NewGCMForTLS12(cipher *aes.Block) (*GCMWithCounterNonce, error) { g, err := newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize) if err != nil { return...

nonce, ciphertext, data []byte) ([]byte, error) { fips140.RecordApproved() return g.g.Open(dst, nonce, ciphertext, data) } // NewGCMForTLS12 returns a new AEAD that works like GCM, but enforces the // construction of nonces as specified in RFC 5288, Section 3 and RFC 9325, // Section 7.2.1. // // This complies with FIPS 140-3 IG C.H Scenario 1.a. func NewGCMForTLS12(cipher *aes.Block) (*GCMForTLS12, error) { g, err := newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize) if err != nil { return nil,...