### Go 1.22

Go 1.22 adds a configurable limit to control the maximum acceptable RSA key size
that can be used in TLS handshakes, controlled by the [`tlsmaxrsasize` setting](/pkg/crypto/tls#Conn.Handshake).
The default is tlsmaxrsasize=8192, limiting RSA to 8192-bit keys. To avoid
denial of service attacks, this setting and default was backported to Go
1.19.13, Go 1.20.8, and Go 1.21.1.

    @Test
    void testService_NtlmAuth_Failure() throws Exception {
        ntlmServlet.init(servletConfig);
        setupMocksForAuth();

        // Return null from NtlmSsp.authenticate to simulate initial NTLM handshake
        try (MockedStatic<NtlmSsp> ntlmSspMock = Mockito.mockStatic(NtlmSsp.class)) {
            ntlmSspMock.when(() -> NtlmSsp.authenticate(any(), any(), any(), any())).thenReturn(null);

	public final fun getBody ()Lokio/Buffer;
	public final fun getBodySize ()J
	public final fun getChunkSizes ()Ljava/util/List;
	public final fun getFailure ()Ljava/io/IOException;
	public final fun getHandshake ()Lokhttp3/Handshake;
	public final fun getHeader (Ljava/lang/String;)Ljava/lang/String;
	public final fun getHeaders ()Lokhttp3/Headers;
	public final fun getMethod ()Ljava/lang/String;
	public final fun getPath ()Ljava/lang/String;

) {
  /**
   * Confirms that at least one of the certificates pinned for `hostname` is in `peerCertificates`.
   * Does nothing if there are no certificates pinned for `hostname`. OkHttp calls this after a
   * successful TLS handshake, but before the connection is used.
   *
   * @throws SSLPeerUnverifiedException if `peerCertificates` don't match the certificates pinned
   *     for `hostname`.
   */
  @Throws(SSLPeerUnverifiedException::class)

    /**
     * Attempts to obtain login credentials using SPNEGO authentication.
     *
     * This method processes the HTTP request to extract and validate SPNEGO
     * authentication tokens. It handles the SPNEGO handshake process and
     * extracts the user principal from successful authentication.
     *
     * @return The login credential containing the authenticated username,

<img src="/img/deployment/https/https01.drawio.svg">

### Начало TLS-рукопожатия { #tls-handshake-start }

Далее браузер будет общаться с этим IP‑адресом на **порту 443** (порт HTTPS).

Первая часть взаимодействия — установить соединение между клиентом и сервером и договориться о криптографических ключах и т.п.

    introduced in the 5.0.0-alpha.4 release.
 *  Fix: Don't ask `Dns` implementations to resolve strings that are already IP addresses.
 *  Fix: Change fast fallback to race TCP handshakes only. To avoid wasted work, OkHttp will not
    attempt multiple TLS handshakes for the same call concurrently.
 *  Fix: Don't crash loading the public suffix database in GraalVM native images. The function

        TlsVersion.TLS_1_3,
      ) // v1.2 on OpenJDK 8.
    val request1 = server.takeRequest()
    assertThat(tlsVersions).contains(request1.handshake?.tlsVersion)
    val request2 = server.takeRequest()
    assertThat(tlsVersions).contains(request2.handshake?.tlsVersion)
  }

  /**
   * Verify that we don't retry connections on certificate verification errors.
   *

        .post(AsyncRequestBody())
        .build()
    val call = client.newCall(request)
    call
      .timeout()
      .timeout(500, TimeUnit.MILLISECONDS) // Long enough for the first TLS handshake.
    call.execute().use { response ->
      val requestBody = (call.request().body as AsyncRequestBody?)!!.takeSink()
      val responseBody = response.body.source()
      assertThat(responseBody.readUtf8Line())

DNSサーバーは、ブラウザに特定の**IPアドレス**を使用するように指示します。このIPアドレスは、DNSサーバーで設定した、あなたのサーバーが使用するパブリックIPアドレスになります。

<img src="/img/deployment/https/https01.drawio.svg">

### TLS Handshake の開始

ブラウザはIPアドレスと**ポート443**（HTTPSポート）で通信します。

通信の最初の部分は、クライアントとサーバー間の接続を確立し、使用する暗号鍵などを決めるだけです。

<img src="/img/deployment/https/https02.drawio.svg">

TLS接続を確立するためのクライアントとサーバー間のこのやりとりは、**TLSハンドシェイク**と呼ばれます。