if (!platform.isConscrypt()) {
      assertThat(event.exception.message).isIn(
        "Unexpected handshake message: client_hello",
        "(unexpected_message) Unexpected handshake message: client_hello",
      )
    }
  }

  @Test
  @Throws(IOException::class)
  fun multipleConnectsForSingleCall() {
    enableTls()

        .build();

    try (Response response = client.newCall(request).execute()) {
      if (!response.isSuccessful()) throw new IOException("Unexpected code " + response);

      for (Certificate certificate : response.handshake().peerCertificates()) {
        System.out.println(CertificatePinner.pin(certificate));
      }
    }
  }

  public static void main(String... args) throws Exception {
    new CertificatePinning().run();
  }

        Response
          .Builder()
          .request(request)
          .protocol(Protocol.HTTP_1_1)
          .code(200)
          .message("OK")
          .build()
      val handshake =
        Handshake.get(
          tlsVersion = TlsVersion.TLS_1_3,
          cipherSuite = CipherSuite.TLS_AES_128_GCM_SHA256,
          peerCertificates = listOf(),
          localCertificates = listOf(),
        )

    application code that creates challenges.

 *  New: The `TlsVersion` of a `Handshake` is now non-null. If you are calling
    `Handshake.get()` with a null TLS version, you must instead now provide a
    non-null `TlsVersion`. Cache responses persisted prior to OkHttp 3.0 did not
    store a TLS version; for these unknown values the handshake is defaulted to
    `TlsVersion.SSL_3_0`.

 *  New: Upgrade to Okio 1.13.0.

    val cipherSuite = response1.handshake!!.cipherSuite
    val localCerts = response1.handshake!!.localCertificates
    val serverCerts = response1.handshake!!.peerCertificates
    val peerPrincipal = response1.handshake!!.peerPrincipal
    val localPrincipal = response1.handshake!!.localPrincipal
    val response2 = client.newCall(request).execute() // Cached!

    assertThat(cache.requestCount()).isEqualTo(2)
    assertThat(cache.networkCount()).isEqualTo(1)
    assertThat(cache.hitCount()).isEqualTo(1)

    assertThat(response.handshake!!.cipherSuite.javaName).startsWith("SLT_")
  }

  @Test
  fun truncatedMetadataEntry() {
    val response =
      testCorruptingCache {
        corruptMetadata {

HSPLokhttp3/EventListener;->secureConnectEnd(Lokhttp3/Call;Lokhttp3/Handshake;)V
HSPLokhttp3/EventListener;->secureConnectStart(Lokhttp3/Call;)V
HSPLokhttp3/Handshake$Companion$handshake$1;-><init>(Ljava/util/List;)V
HSPLokhttp3/Handshake$peerCertificates$2;-><init>(Lkotlin/jvm/functions/Function0;)V
HSPLokhttp3/Handshake;-><init>(Lokhttp3/TlsVersion;Lokhttp3/CipherSuite;Ljava/util/List;Lkotlin/jvm/functions/Function0;)V

      // No cached response.
      if (cacheResponse == null) {
        return CacheStrategy(request, null)
      }

      // Drop the cached response if it's missing a required handshake.
      if (request.isHttps && cacheResponse.handshake == null) {
        return CacheStrategy(request, null)
      }

      // If this response shouldn't have been stored, it should never be used as a response source.

import javax.net.ssl.SSLPeerUnverifiedException

/**
 * A certificate chain cleaner that uses a set of trusted root certificates to build the trusted
 * chain. This class duplicates the clean chain building performed during the TLS handshake. We
 * prefer other mechanisms where they exist, such as with
 * [okhttp3.internal.platform.AndroidPlatform.AndroidCertificateChainCleaner].
 *
 * This class includes code from [Conscrypt's][Conscrypt] [TrustManagerImpl] and

          }
          throw IOException("Unexpected code $response")
        }
        println(response.body.string())

        for (peerCertificate in response.handshake?.peerCertificates.orEmpty()) {
          println((peerCertificate as X509Certificate).subjectDN)
        }
      }
  }
}

fun main() {
  CustomTrust().run()