*  Fix: Use the correct key size in the name of `TLS_AES_128_CCM_8_SHA256` which is a TLS 1.3
    cipher suite. We accidentally specified a key size of 256, preventing that cipher suite from
    being selected for any TLS handshakes. We didn't notice because this cipher suite isn't
    supported on Android, Java, or Conscrypt.

    We removed this cipher suite and `TLS_AES_128_CCM_SHA256` from the restricted, modern, and

 * limitations under the License.
 */
package okhttp3

import okhttp3.internal.format
import okio.Buffer
import okio.BufferedSource

/**
 * A test from the [Web Platform URL test suite](https://github.com/web-platform-tests/wpt/blob/master/url/resources/urltestdata.json).
 *
 * Each test is a line of the file `urltestdata.txt`. The format is informally specified by its

    .build();
```

### Debugging TLS Handshake Failures

The TLS handshake requires clients and servers to share a common TLS version and cipher suite. This
depends on the JVM or Android version, OkHttp version, and web server configuration. If there is no
common cipher suite and TLS version, your call will fail like this:

```
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7f2719a89e80:

      client.newCall(request).execute()
      fail<Any>("expected cleartext blocking")
    } catch (_: java.net.UnknownServiceException) {
    }
  }

  data class HowsMySslResults(
    val unknown_cipher_suite_supported: Boolean,
    val beast_vuln: Boolean,
    val session_ticket_supported: Boolean,
    val tls_compression_supported: Boolean,
    val ephemeral_keys_supported: Boolean,
    val rating: String,

      ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
        .cipherSuites(*arrayOf<CipherSuite>())
        .build()
    }.also { expected ->
      assertThat(expected.message)
        .isEqualTo("At least one cipher suite is required")
    }
  }

  @Test
  fun cleartextBuilder() {
    val cleartextSpec = ConnectionSpec.Builder(false).build()
    assertThat(cleartextSpec.isTls).isFalse()
  }

  @Test

     * followed by those lines.
     *
     * HTTPS responses also contain SSL session information. This begins with a blank line, and then
     * a line containing the cipher suite. Next is the length of the peer certificate chain. These
     * certificates are base64-encoded and appear each on their own line. The next line contains the

 *  New: Buffer WebSocket frames for better performance.
 *  New: Drop support for `TLS_DHE_DSS_WITH_AES_128_CBC_SHA`, our only remaining
    DSS cipher suite. This is consistent with Firefox and Chrome which have also
    dropped these cipher suite.

## Version 2.5.0

_2015-08-25_

 *  **Timeouts now default to 10 seconds.** Previously we defaulted to never

import org.junit.jupiter.api.Test
import org.junit.jupiter.api.extension.RegisterExtension

/**
 * Tests for our hostname verifier. Most of these tests are from AOSP, which itself includes tests
 * from the Apache HTTP Client test suite.
 */
class HostnameVerifierTest {
  private val verifier = OkHostnameVerifier

  @RegisterExtension
  var platform = PlatformRule()

  @Test fun verify() {
    val session = FakeSSLSession()

 *  New: Prefer the client's configured precedence order for TLS cipher suites. (OkHttp used to
    prefer the JDK’s precedence order.) This change may cause your HTTP calls to negotiate a
    different cipher suite than before! OkHttp's defaults cipher suites are selected for good
    security and performance.

 *  New: `ConnectionListener` publishes events for connects, disconnects, and use of pooled
    connections.

 * TLSv1

---

<a name="tlsv13_only"></a>
#### ¹ TLSv1.3 Only

Cipher suites that are only available with TLSv1.3.

<a name="http2_naughty"></a>
#### ² HTTP/2 Cipher Suite Denylist