}

	// The Android Q linker started to complain about underalignment of the our TLS
	// section. We don't actually use the section on android, so don't
	// generate it.
	if buildcfg.GOOS != "android" {
		tlsg := ctxt.loader.LookupOrCreateSym("runtime.tlsg", 0)
		sb := ctxt.loader.MakeSymbolUpdater(tlsg)

		// runtime.tlsg is used for external linking on platforms that do not define

	R_PCREL
	// R_TLS_LE, used on 386, amd64, and ARM, resolves to the offset of the
	// thread-local symbol from the thread local base and is used to implement the
	// "local exec" model for tls access (r.Sym is not set on intel platforms but is
	// set to a TLS symbol -- runtime.tlsg -- in the linker when externally linking).
	R_TLS_LE
	// R_TLS_IE, used 386, amd64, and ARM resolves to the PC-relative offset to a GOT

	MOVD	_cgo_init(SB), R12
	CBZ	R12, nocgo

#ifdef GOOS_android
	MRS_TPIDR_R0			// load TLS base pointer
	MOVD	R0, R3			// arg 3: TLS base pointer
	MOVD	$runtime·tls_g(SB), R2 	// arg 2: &tls_g
#else
	MOVD	$0, R2		        // arg 2: not used when using platform's TLS
#endif
	MOVD	$setg_gcc<>(SB), R1	// arg 1: setg
	MOVD	g, R0			// arg 0: G

  listeners:
  - name: passthrough
    port: 34000
    protocol: TLS
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Passthrough
  - name: terminate
    hostname: "domain.example"
    port: 34000
    protocol: HTTPS
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      certificateRefs:
      - name: my-cert-http

// license that can be found in the LICENSE file.

// Package tls partially implements TLS 1.2, as specified in RFC 5246,
// and TLS 1.3, as specified in RFC 8446.
package tls

// BUG(agl): The crypto/tls package only implements some countermeasures
// against Lucky13 attacks on CBC-mode encryption, and only on SHA1
// variants. See http://www.isg.rhul.ac.uk/tls/TLStiming.pdf and
// https://www.imperialviolet.org/2013/02/04/luckythirteen.html.

func getTLSDialOption(opts *TLSOptions) (grpc.DialOption, error) {
	rootCert, err := getRootCertificate(opts.RootCert)
	if err != nil {
		return nil, err
	}
	config := tls.Config{
		GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
			var certificate tls.Certificate
			key, cert := opts.Key, opts.Cert
			if key != "" && cert != "" {
				isExpired, err := util.IsCertExpired(opts.Cert)
				if err != nil {

	// Is there a virtual service with a TLS block that matches us?
	hasTLSMatch := false

	lb := &ListenerBuilder{node: node, push: push}
	out := make([]*filterChainOpts, 0)
	for _, cfg := range configs {
		virtualService := cfg.Spec.(*v1alpha3.VirtualService)
		for _, tls := range virtualService.Tls {
			for _, match := range tls.Match {

//go:build boringcrypto

// Package fipstls allows control over whether crypto/tls requires FIPS-approved settings.
// This package only exists with GOEXPERIMENT=boringcrypto, but the effects are independent
// of the use of BoringCrypto.
package fipstls

import (
	"internal/stringslite"
	"sync/atomic"
)

var required atomic.Bool

// Force forces crypto/tls to restrict TLS configurations to FIPS-approved settings.

metadata:
  annotations:
    internal.istio.io/parents: TLSRoute/tls-match.default
    internal.istio.io/route-semantics: gateway
  creationTimestamp: null
  name: tls-match-tls-0-istio-autogenerated-k8s-gateway
  namespace: default
spec:
  gateways:
  - istio-system/gateway-istio-autogenerated-k8s-gateway-passthrough
  hosts:
  - foo.com
  tls:
  - match:
    - sniHosts:
      - foo.com
    route:

    parentRef:
      name: gateway
      namespace: istio-system
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  creationTimestamp: null
  name: tls
  namespace: default
spec: null
status:
  parents:
  - conditions:
    - lastTransitionTime: fake
      message: Route was valid
      reason: Accepted
      status: "True"
      type: Accepted