if (routes == null || !routeMatchesAny(routes)) return false

    // 3. This connection's server certificates must cover the new host.
    if (address.hostnameVerifier !== OkHostnameVerifier) return false
    if (!supportsUrl(address.url)) return false

    // 4. Certificate pinning must match the host.
    try {
      address.certificatePinner!!.check(address.url.host, handshake()!!.peerCertificates)

    val exception = IOException("Non-handshake exception")
    assertThat(retryTlsHandshake(exception)).isFalse()
  }

  @Test fun nonRetryableSSLHandshakeException() {
    val exception =
      SSLHandshakeException("Certificate handshake exception").apply {
        initCause(CertificateException())
      }
    assertThat(retryTlsHandshake(exception)).isFalse()
  }

  @Test fun retryableSSLHandshakeException() {

 * [okhttp-stats](https://github.com/flipkart-incubator/okhttp-stats): Get stats like average network speed.
 * [okhttp-system-keystore](https://github.com/charleskorn/okhttp-system-keystore): Use trusted certificates from the operating system keystore (Keychain on macOS, Certificate Store on Windows).
 * ⬜️ [Okio](https://github.com/square/okio/): A modern I/O API for Java.

pkg crypto/tls, type Dialer struct
pkg crypto/tls, type Dialer struct, Config *Config
pkg crypto/tls, type Dialer struct, NetDialer *net.Dialer
pkg crypto/x509, func CreateRevocationList(io.Reader, *RevocationList, *Certificate, crypto.Signer) ([]uint8, error)
pkg crypto/x509, type RevocationList struct
pkg crypto/x509, type RevocationList struct, ExtraExtensions []pkix.Extension
pkg crypto/x509, type RevocationList struct, NextUpdate time.Time

set FESS_JAVA_OPTS=%FESS_JAVA_OPTS% -Dlog4j2.disable.jmx=true
set FESS_JAVA_OPTS=%FESS_JAVA_OPTS% -Dlog4j2.formatMsgNoLookups=true
set FESS_JAVA_OPTS=%FESS_JAVA_OPTS% -Dlog4j.skipJansi=true

REM SSL truststore for certificate validation over https
REM FESS_JAVA_OPTS=%FESS_JAVA_OPTS% -Djavax.net.ssl.trustStore=/tech/elastic/config/truststore.jks
REM FESS_JAVA_OPTS=%FESS_JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit

          .addSubjectAlternativeName(hostname)
          .build()
      HandshakeCertificates
        .Builder()
        .heldCertificate(heldCertificate)
        .addTrustedCertificate(heldCertificate.certificate)
        .build()
    }
  private var acceptedHostName: String? = null

  @StartStop
  private val server = MockWebServer()

  @BeforeEach
  fun setUp() {
    // Test designed for Conscrypt and JSSE

import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.kerberos.KerberosKey;

/**
 * Utility class for calculating and verifying PAC (Privilege Attribute Certificate) message authentication codes.
 * This class provides methods for computing MACs using various Kerberos encryption types including
 * ARCFOUR-HMAC-MD5 and AES-based HMAC algorithms.
 */
public class PacMac {

    /**

 * limitations under the License.
 */
package okhttp3.tls.internal.der

import okio.Buffer
import okio.ByteString

/**
 * Encode and decode a model object like a [Long] or [Certificate] as DER bytes.
 */
internal interface DerAdapter<T> {
  /** Returns true if this adapter can read [header] in a choice. */
  fun matches(header: DerHeader): Boolean

  /**
   * Returns a value from this adapter.

provide the password via:

```
export MINIO_KMS_KES_KEY_PASSWORD=<your-password>
```

Note that MinIO only supports encrypted private keys - not encrypted certificates.
Certificates are no secrets and sent in plaintext as part of the TLS handshake.

## Explore Further

- [Use `mc` with MinIO Server](https://docs.min.io/community/minio-object-store/reference/minio-mc.html)

  /**
   * Returns true if the host and port are unchanged from when this was created. This is used to
   * detect if followups need to do a full connection-finding process including DNS resolution, and
   * certificate pin checks.
   */
  fun sameHostAndPort(url: HttpUrl): Boolean

  /**
   * A plan holds either an immediately-usable connection, or one that must be connected first.