square · yschimke · Jan 16, 2026 · Jan 16, 2026 · Jan 16, 2026 · Mar 15, 2026
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -299,11 +299,24 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        api-level:
-          - 21
-          - 23
-          - 29
-          - 34
+        include:
+          - api-level: 21
+            arch: x86
+            target: default
+          - api-level: 23
+            arch: x86
+            target: default
+          - api-level: 29
+            arch: x86
+            target: default
+          - api-level: 34
+            arch: x86_64
+            target: default
+          # API 37 only ships 16 KB page-size images; playstore_ps16k resolves to
+          # google_apis_playstore_ps16k. Quoted so YAML keeps the ".0".
+          - api-level: "37.0"
+            arch: x86_64
+            target: playstore_ps16k
 
     steps:
       - name: Checkout
@@ -338,7 +351,7 @@ jobs:
         uses: actions/cache@v5
         id: avd-cache
         with:
-          key: avd-${{ runner.os }}-${{ matrix.api-level }}-${{ matrix.api-level >= 30 && 'x86_64' || 'x86' }}
+          key: avd-${{ runner.os }}-${{ matrix.api-level }}-${{ matrix.target }}-${{ matrix.arch }}
           path: |
             ~/.android/avd/*
             ~/.android/adb*
@@ -351,7 +364,9 @@ jobs:
         with:
           api-level: ${{ matrix.api-level }}
           force-avd-creation: false
-          arch: ${{ matrix.api-level >= 30 && 'x86_64' || 'x86' }}
+          target: ${{ matrix.target }}
+          arch: ${{ matrix.arch }}
+          emulator-boot-timeout: 1200
           # No window, no audio, and use swiftshader for headless environments
           emulator-options: >
             -no-window
@@ -367,7 +382,19 @@ jobs:
         uses: reactivecircus/android-emulator-runner@v2
         with:
           api-level: ${{ matrix.api-level }}
-          arch: ${{ matrix.api-level == '34' && 'x86_64' || 'x86' }}
+          target: ${{ matrix.target }}
+          arch: ${{ matrix.arch }}
+          emulator-boot-timeout: 1200
+          # These must match the options used to create the snapshot above: the emulator only
+          # restores a cached snapshot when the boot options are identical. The action default
+          # includes -no-snapshot, which would otherwise force a slow cold boot.
+          emulator-options: >
+            -no-window
+            -gpu swiftshader_indirect
+            -noaudio
+            -no-boot-anim
+            -camera-back none
+            -memory 2048
           script: ./gradlew -PandroidBuild=true connectedCheck
         env:
           API_LEVEL: ${{ matrix.api-level }}
@@ -440,4 +467,3 @@ jobs:
 
       - name: Run with Jlink
         run: ./gradlew module-tests:imageRun -PokhttpModuleTests=true
-
diff --git a/android-test-app/build.gradle.kts b/android-test-app/build.gradle.kts
@@ -1,15 +1,14 @@
 @file:Suppress("UnstableApiUsage")
 
-import okhttp3.buildsupport.testJavaVersion
-
-
 plugins {
   id("okhttp.base-conventions")
   id("com.android.application")
 }
 
 android {
-  compileSdk = 36
+  compileSdk {
+    version = release(37)
+  }
 
   namespace = "okhttp.android.testapp"
 
@@ -18,7 +17,7 @@ android {
 
   defaultConfig {
     minSdk = 21
-    targetSdk = 36
+    targetSdk = 37
     testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
   }
 

diff --git a/android-test-app/src/androidTest/kotlin/okhttp/android/testapp/PublicSuffixDatabaseTest.kt b/android-test-app/src/androidTest/kotlin/okhttp/android/testapp/PublicSuffixDatabaseTest.kt
@@ -15,15 +15,23 @@
  */
 package okhttp3.android
 
+import androidx.test.platform.app.InstrumentationRegistry
 import assertk.assertThat
 import assertk.assertions.isEqualTo
 import okhttp3.HttpUrl.Companion.toHttpUrl
+import okhttp3.OkHttp
+import org.junit.Before
 import org.junit.Test
 
 /**
  * Run with "./gradlew :android-test-app:connectedCheck -PandroidBuild=true" and make sure ANDROID_SDK_ROOT is set.
  */
 class PublicSuffixDatabaseTest {
+  @Before
+  fun setUp() {
+    OkHttp.initialize(InstrumentationRegistry.getInstrumentation().targetContext)
+  }
+
   @Test
   fun testTopLevelDomain() {
     assertThat("https://www.google.com/robots.txt".toHttpUrl().topPrivateDomain()).isEqualTo("google.com")

diff --git a/android-test/build.gradle.kts b/android-test/build.gradle.kts
@@ -8,7 +8,9 @@ plugins {
 }
 
 android {
-  compileSdk = 36
+  compileSdk {
+    version = release(37)
+  }
 
   namespace = "okhttp.android.test"
 
@@ -24,26 +26,16 @@ android {
     )
   }
 
-  if (androidBuild) {
-    sourceSets["androidTest"].java.srcDirs(
-      "../okhttp-brotli/src/test/java",
-      "../okhttp-dnsoverhttps/src/test/java",
-      "../okhttp-logging-interceptor/src/test/java",
-      "../okhttp-sse/src/test/java"
-    )
-  }
-
   compileOptions {
     targetCompatibility(JavaVersion.VERSION_11)
     sourceCompatibility(JavaVersion.VERSION_11)
   }
 
   testOptions {
-    targetSdk = 34
+    targetSdk = 37
     unitTests.isIncludeAndroidResources = true
   }
 
-
   // issue merging due to conflict with httpclient and something else
   packagingOptions.resources.excludes += setOf(
     "META-INF/DEPENDENCIES",
@@ -55,11 +47,25 @@ android {
   )
 }
 
+if (androidBuild) {
+  androidComponents {
+    onVariants(selector().all()) { variant ->
+      variant.androidTest?.sources?.java?.apply {
+        addStaticSourceDirectory("../okhttp-brotli/src/test/java")
+        addStaticSourceDirectory("../okhttp-dnsoverhttps/src/test/java")
+        addStaticSourceDirectory("../okhttp-logging-interceptor/src/test/java")
+        addStaticSourceDirectory("../okhttp-sse/src/test/java")
+      }
+    }
+  }
+}
+
 dependencies {
   implementation(libs.kotlin.reflect)
   implementation(libs.playservices.safetynet)
   "friendsImplementation"(projects.okhttp)
   "friendsImplementation"(projects.okhttpDnsoverhttps)
+  implementation(libs.androidx.activity)
 
   testImplementation(projects.okhttp)
   testImplementation(libs.junit)

diff --git a/android-test/src/androidTest/java/okhttp/android/test/EchTest.kt b/android-test/src/androidTest/java/okhttp/android/test/EchTest.kt
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2026 OkHttp Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package okhttp.android.test
+
+import assertk.assertThat
+import assertk.assertions.isNotNull
+import assertk.assertions.matchesPredicate
+import okhttp3.OkHttpClient
+import okhttp3.Request
+import okhttp3.Response
+import org.junit.jupiter.api.Tag
+import org.junit.jupiter.api.Test
+
+@Tag("Remote")
+class EchTest {
+
+  @Test
+  fun testHttpsRequest() {
+    val client: OkHttpClient =
+      OkHttpClient
+        .Builder()
+        .build()
+
+    val cloudflareEchBody =
+      client.sendRequest(Request.Builder().url("https://cloudflare-ech.com/").build()) {
+        it.body.string()
+      }
+    assertThat(cloudflareEchBody).matchesPredicate { it.contains("ECH enabled") }
+
+    val cloudflareBody = client.sendRequest(
+      Request.Builder().url("https://crypto.cloudflare.com/cdn-cgi/trace").build()
+    ) {
+      it.body.string()
+    }
+    assertThat(cloudflareBody).matchesPredicate { it.contains("ECH enabled") }
+
+    val tlsEchBody = client.sendRequest(Request.Builder().url("https://tls-ech.dev/").build()) {
+      it.body.string()
+    }
+    assertThat(tlsEchBody).matchesPredicate { it.contains("ECH enabled") }
+  }
+
+  private fun <T> OkHttpClient.sendRequest(request: Request, fn: (Response) -> T): T {
+    val response = newCall(request).execute()
+
+    return response.use {
+      fn(it)
+    }
+  }
+}
diff --git a/android-test/src/main/AndroidManifest.xml b/android-test/src/main/AndroidManifest.xml
@@ -4,6 +4,6 @@
   <uses-permission android:name="android.permission.INTERNET" />
   <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
 
-  <application android:usesCleartextTraffic="true" tools:targetApi="m"/>
+  <application android:usesCleartextTraffic="true" tools:targetApi="m" android:networkSecurityConfig="@xml/network_security_config"/>
 
 </manifest>
diff --git a/android-test/src/main/res/xml/network_security_config.xml b/android-test/src/main/res/xml/network_security_config.xml
@@ -2,4 +2,13 @@
 <network-security-config>
   <base-config cleartextTrafficPermitted="false">
   </base-config>
-</network-security-config>
+  <domain-config cleartextTrafficPermitted="true">
+    <domain includeSubdomains="false">localhost</domain>
+  </domain-config>
+  <domain-config>
+    <domain includeSubdomains="true">cloudflare-ech.com</domain>
+    <domain includeSubdomains="true">crypto.cloudflare.com</domain>
+    <domain includeSubdomains="true">tls-ech.dev</domain>
+    <domainEncryption mode="opportunistic" />
+  </domain-config>
+</network-security-config>
diff --git a/android-test/src/test/kotlin/okhttp/android/test/AndroidSocketAdapterTest.kt b/android-test/src/test/kotlin/okhttp/android/test/AndroidSocketAdapterTest.kt
@@ -58,7 +58,12 @@ class AndroidSocketAdapterTest(
     val sslSocket = socketFactory.createSocket() as SSLSocket
     assertTrue(adapter.matchesSocket(sslSocket))
 
-    adapter.configureTlsExtensions(sslSocket, null, listOf(HTTP_2, HTTP_1_1))
+    adapter.configureTlsExtensions(
+      call = null,
+      sslSocket = sslSocket,
+      hostname = null,
+      protocols = listOf(HTTP_2, HTTP_1_1)
+    )
     // not connected
     assertNull(adapter.getSelectedProtocol(sslSocket))
   }
@@ -89,7 +94,12 @@ class AndroidSocketAdapterTest(
       object : DelegatingSSLSocket(context.socketFactory.createSocket() as SSLSocket) {}
     assertFalse(adapter.matchesSocket(sslSocket))
 
-    adapter.configureTlsExtensions(sslSocket, null, listOf(HTTP_2, HTTP_1_1))
+    adapter.configureTlsExtensions(
+      call = null,
+      sslSocket = sslSocket,
+      hostname = null,
+      protocols = listOf(HTTP_2, HTTP_1_1)
+    )
     // not connected
     assertNull(adapter.getSelectedProtocol(sslSocket))
   }

diff --git a/android-test/src/test/resources/robolectric.properties b/android-test/src/test/resources/robolectric.properties
@@ -0,0 +1 @@
+sdk=36
diff --git a/build-logic/src/main/kotlin/okhttp.base-conventions.gradle.kts b/build-logic/src/main/kotlin/okhttp.base-conventions.gradle.kts
@@ -48,6 +48,13 @@ tasks.withType<KotlinCompile>().configureEach {
   friendPaths.from(friendsTestImplementation.incoming.artifactView { }.files)
 }
 
+tasks.withType<Test> {
+  if (testJavaVersion >= 9) {
+    // Fix for robolectric https://github.com/robolectric/robolectric/pull/10996
+    jvmArgs("--add-opens", "java.base/jdk.internal.access=ALL-UNNAMED")
+  }
+}
+
 val resolvableConfigurations = configurations.filter { it.isCanBeResolved }
 tasks.register("downloadDependencies") {
   description = "Download all dependencies to the Gradle cache"

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -1,5 +1,5 @@
 [versions]
-agp = "9.1.1"
+agp = "9.2.0"
 amazon-corretto = "2.5.0"
 android-junit5 = "2.0.1"
 androidx-activity = "1.11.0"

diff --git a/mockwebserver-junit5/build.gradle.kts b/mockwebserver-junit5/build.gradle.kts
@@ -15,7 +15,6 @@ dependencies {
   compileOnly(libs.animalsniffer.annotations)
 
   testRuntimeOnly(libs.junit.jupiter.engine)
-  testImplementation(libs.kotlin.junit5)
   testImplementation(projects.okhttpTestingSupport)
   testImplementation(libs.assertk)
 }
diff --git a/mockwebserver/src/main/kotlin/mockwebserver3/MockWebServer.kt b/mockwebserver/src/main/kotlin/mockwebserver3/MockWebServer.kt
@@ -473,7 +473,12 @@ public class MockWebServer : Closeable {
           openClientSockets.add(sslSocket)
 
           if (protocolNegotiationEnabled) {
-            Platform.get().configureTlsExtensions(sslSocket, null, protocols)
+            Platform.get().configureTlsExtensions(
+              call = null,
+              sslSocket = sslSocket,
+              hostname = null,
+              protocols = protocols,
+            )
           }
 
           sslSocket.startHandshake()

diff --git a/mockwebserver/src/test/java/mockwebserver3/internal/http2/Http2Server.kt b/mockwebserver/src/test/java/mockwebserver3/internal/http2/Http2Server.kt
@@ -82,7 +82,12 @@ class Http2Server(
         true,
       ) as SSLSocket
     sslSocket.useClientMode = false
-    Platform.get().configureTlsExtensions(sslSocket, null, listOf(Protocol.HTTP_2))
+    Platform.get().configureTlsExtensions(
+      call = null,
+      sslSocket = sslSocket,
+      hostname = null,
+      protocols = listOf(Protocol.HTTP_2),
+    )
     sslSocket.startHandshake()
     return sslSocket
   }

diff --git a/native-image-tests/build.gradle.kts b/native-image-tests/build.gradle.kts
@@ -39,7 +39,6 @@ dependencies {
   testImplementation(projects.mockwebserver3Junit5)
   testImplementation(libs.assertk)
   testRuntimeOnly(libs.junit.jupiter.engine)
-  testImplementation(libs.kotlin.junit5)
   testImplementation(libs.junit.jupiter.params)
 }
 

diff --git a/okhttp-osgi-tests/build.gradle.kts b/okhttp-osgi-tests/build.gradle.kts
@@ -19,7 +19,6 @@ dependencies {
   testImplementation(projects.okhttpTestingSupport)
   testImplementation(libs.junit)
   testImplementation(libs.kotlin.test.common)
-  testImplementation(libs.kotlin.test.junit)
   testImplementation(libs.assertk)
 
   testImplementation(libs.aqute.resolve)