Name:       wellknown.TransportSocketTLS,
			ConfigType: &core.TransportSocket_TypedConfig{TypedConfig: protoconv.MessageToAny(tlsContext)},
		}
	}
	istioAutodetectedMtls := tls != nil && tls.Mode == networking.ClientTLSSettings_ISTIO_MUTUAL &&
		mtlsCtxType == autoDetected
	if cb.sendHbone {
		cb.applyHBONETransportSocketMatches(c.cluster, tls, istioAutodetectedMtls)
	} else if c.cluster.GetType() != cluster.Cluster_ORIGINAL_DST {

					},
					Spec: &networking.DestinationRule{
						Host: "example.ns.svc.cluster.local",
						TrafficPolicy: &networking.TrafficPolicy{
							Tls: &networking.ClientTLSSettings{Mode: networking.ClientTLSSettings_ISTIO_MUTUAL},
						},
					},
				},
			},
			IsMtlsDisabled: false,
		},
		"mtls-off-innefective": {
			Config: config.Config{
				Meta: config.Meta{
					GroupVersionKind: gvk.DestinationRule,

func (c *mtlsChecker) checkMtlsEnabled(ep *model.IstioEndpoint, isWaypoint bool) bool {
	if drMode := c.destinationRule; drMode != nil {
		return *drMode == networkingapi.ClientTLSSettings_ISTIO_MUTUAL
	}

	// if endpoint has no sidecar or explicitly tls disabled by "security.istio.io/tlsMode" label.
	if ep.TLSMode != model.IstioMutualTLSModeLabel {
		return false
	}

	return authn.

	"istio.io/istio/pkg/test"
	"istio.io/istio/pkg/test/util/assert"
)

func TestApplyUpstreamTLSSettings(t *testing.T) {
	istioMutualTLSSettings := &networking.ClientTLSSettings{
		Mode:            networking.ClientTLSSettings_ISTIO_MUTUAL,
		SubjectAltNames: []string{"custom.foo.com"},
		Sni:             "custom.foo.com",
	}
	mutualTLSSettingsWithCerts := &networking.ClientTLSSettings{
		Mode:              networking.ClientTLSSettings_MUTUAL,

		},
		{
			desc: "tls-istio-mutual-no-certs",
			tls: &networkingAPI.ClientTLSSettings{
				Mode: networkingAPI.ClientTLSSettings_ISTIO_MUTUAL,
			},
			sni:          "i-should-be-sni",
			meta:         &model.BootstrapNodeMetadata{},

		name    string
		tlsMode networking.ClientTLSSettings_TLSmode
		meta    *core.Metadata
		want    *core.Metadata
	}{
		{
			name:    "ISTIO_MUTUAL TLS",
			tlsMode: networking.ClientTLSSettings_ISTIO_MUTUAL,
			meta:    nil,
			want:    nil,
		},
		{
			name:    "DISABLED TLS",
			tlsMode: networking.ClientTLSSettings_DISABLE,
			meta:    nil,
			want:    nil,
		},
		{

			expected: nil,
		},
		{
			testName: "envoy metrics tls",
			key:      "envoy_metrics_service_tls",
			option: option.EnvoyMetricsServiceTLS(&networkingAPI.ClientTLSSettings{
				Mode: networkingAPI.ClientTLSSettings_ISTIO_MUTUAL,
			}, &model.BootstrapNodeMetadata{}),

	"istio.io/istio/pilot/pkg/networking/util"
)

func TestApplyUpstreamProxyProtocol(t *testing.T) {
	istioMutualTLSSettings := &networking.ClientTLSSettings{
		Mode:            networking.ClientTLSSettings_ISTIO_MUTUAL,
		SubjectAltNames: []string{"custom.foo.com"},
		Sni:             "custom.foo.com",
	}
	mutualTLSSettingsWithCerts := &networking.ClientTLSSettings{
		Mode:              networking.ClientTLSSettings_MUTUAL,

							OutlierDetection: &v1alpha32.OutlierDetection{MinHealthPercent: 10},
							Tls:              &v1alpha32.ClientTLSSettings{Mode: v1alpha32.ClientTLSSettings_ISTIO_MUTUAL},
							PortLevelSettings: []*v1alpha32.TrafficPolicy_PortTrafficPolicy{
								{
									LoadBalancer: &v1alpha32.LoadBalancerSettings{

		return err
	}
	checkVerify := func(tls *networking.ClientTLSSettings) bool {
		if tls == nil {
			return false
		}
		if tls.Mode == networking.ClientTLSSettings_DISABLE || tls.Mode == networking.ClientTLSSettings_ISTIO_MUTUAL {
			return false
		}
		return tls.CaCertificates == "" && tls.CredentialName == "" && !tls.InsecureSkipVerify.GetValue()
	}
	checkSNI := func(tls *networking.ClientTLSSettings) bool {
		if tls == nil {