// credentials and mapping client certificates to S3 policies.
type Config struct {
	Enabled bool `json:"enabled"`

	// InsecureSkipVerify, if set to true, disables the client
	// certificate verification. It should only be set for
	// debugging or testing purposes.
	InsecureSkipVerify bool `json:"skip_verify"`
}

const (
	defaultExpiry time.Duration = 1 * time.Hour
	minExpiry     time.Duration = 15 * time.Minute

					}
					return checkFields(c, called, "client")
				}
			},
		},
		{
			name: "InsecureSkipVerify",
			configureServer: func(config *Config, called *int) {
				config.ClientAuth = RequireAnyClientCert
				config.InsecureSkipVerify = true
				config.VerifyConnection = func(c ConnectionState) error {
					*called++
					if l := len(c.PeerCertificates); l != 1 {

		enableAutoSni            bool
		enableVerifyCertAtClient bool
		expectTLSContext         *tls.UpstreamTlsContext
	}{
		{
			name:        "With tls mode simple, InsecureSkipVerify is not specified and ca cert is supplied",
			cluster:     &cluster.Cluster{Name: "foo", ClusterDiscoveryType: &cluster.Cluster_Type{Type: cluster.Cluster_EDS}},
			clusterMode: DefaultClusterMode,

	CaCertFile string `protobuf:"bytes,18,opt,name=caCertFile,proto3" json:"caCertFile,omitempty"`
	// Skip verifying peer's certificate.
	InsecureSkipVerify bool `protobuf:"varint,19,opt,name=insecureSkipVerify,proto3" json:"insecureSkipVerify,omitempty"`
	// List of ALPNs to present. If not set, this will be automatically be set based on the protocol
	Alpn *Alpn `protobuf:"bytes,13,opt,name=alpn,proto3" json:"alpn,omitempty"`

					CaCertificates:  "test",
					SubjectAltNames: []string{"reviews.default.svc"},
					InsecureSkipVerify: &wrapperspb.BoolValue{
						Value: false,
					},
				},
			},
		}, valid: true},

		{name: "InsecureSkipVerify is set false with tls mode simple, and the ca cert is specified by CredentialName", in: &networking.DestinationRule{
			Host: "reviews",

	// that servers use if required to verify a client certificate
	// by the policy in ClientAuth.
	ClientCAs *x509.CertPool

	// InsecureSkipVerify controls whether a client verifies the server's
	// certificate chain and host name. If InsecureSkipVerify is true, crypto/tls
	// accepts any certificate presented by the server and any host name in that
	// certificate. In this mode, TLS is susceptible to machine-in-the-middle

func testVerifyCertificates(t *testing.T, version uint16) {
	tests := []struct {
		name string

		InsecureSkipVerify bool
		ClientAuth         ClientAuthType
		ClientCertificates bool
	}{
		{
			name: "defaults",
		},
		{
			name:               "InsecureSkipVerify",
			InsecureSkipVerify: true,
		},
		{
			name:       "RequestClientCert with no certs",
			ClientAuth: RequestClientCert,

func (s ConnSettings) NewRemoteTargetHTTPTransport(insecure bool) func() *http.Transport {
	tr := s.getDefaultTransport(0)

	tr.TLSHandshakeTimeout = 10 * time.Second
	tr.ResponseHeaderTimeout = 0
	tr.TLSClientConfig.InsecureSkipVerify = insecure

	return func() *http.Transport {
		return tr
	}

func (c *Conn) makeClientHello() (*clientHelloMsg, *keySharePrivateKeys, *echContext, error) {
	config := c.config
	if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
		return nil, nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
	}

	nextProtosLength := 0
	for _, proto := range config.NextProtos {
		if l := len(proto); l == 0 || l > 255 {

					}
					roundTripped = true
					return nil, http2noCachedConnError{}
				})
			},
		},
		DialTLS: func(_, _ string) (net.Conn, error) {
			tc, err := tls.Dial("tcp", addr, &tls.Config{
				InsecureSkipVerify: true,
				NextProtos:         []string{"foo"},
			})
			if err != nil {
				return nil, err
			}
			if err := tc.Handshake(); err != nil {
				return nil, err
			}
			return tc, nil
		},