}{
		"insecure": {
			TLSConfig: &tls.Config{InsecureSkipVerify: true},
		},
		"secure, no roots": {
			TLSConfig:   &tls.Config{InsecureSkipVerify: false},
			ExpectError: "unknown authority|not trusted",
		},
		"secure with roots": {
			TLSConfig: &tls.Config{InsecureSkipVerify: false, RootCAs: roots},
		},
		"secure with mismatched server": {
			TLSConfig:   &tls.Config{InsecureSkipVerify: false, RootCAs: roots, ServerName: "bogus.com"},

			tlsConfig:         &tls.Config{InsecureSkipVerify: true},
			expectedTLSConfig: &tls.Config{InsecureSkipVerify: true},
			upgradeTransport:  nil,
		},
		"Basic TLSConfig and Proxier: no error": {
			tlsConfig:         &tls.Config{InsecureSkipVerify: true},
			proxier:           func(req *http.Request) (*url.URL, error) { return nil, nil },
			expectedTLSConfig: &tls.Config{InsecureSkipVerify: true},
			upgradeTransport:  nil,
		},

apiVersion: release-notes/v2
kind: feature
area: security
issue:
  - 33472
releaseNotes:
  - |

				klog.Warning("using custom dialer with no TLSClientConfig. Defaulting to InsecureSkipVerify")
				// tls.Handshake() requires ServerName or InsecureSkipVerify
				tlsConfig = &tls.Config{
					InsecureSkipVerify: true,
				}
			} else if len(tlsConfig.ServerName) == 0 && !tlsConfig.InsecureSkipVerify {
				// tls.HandshakeContext() requires ServerName or InsecureSkipVerify
				// infer the ServerName from the hostname we're connecting to.

  If undesired please use the new `compatibilityVersion` feature to fallback to old behavior, or `insecureSkipVerify`
  field in DestinationRule to skip the verification.
upgradeNotes:
- title: Default value of the feature flag `VERIFY_CERT_AT_CLIENT` is set to true
  content: |

				Generator:      "event",
				ServiceAccount: serviceAccount,
				Namespace:      ns,
				CloudrunAddr:   opts.IstiodAddr,
			}.ToStruct(),
			CertDir:            opts.CertDir,
			InsecureSkipVerify: opts.InsecureSkipVerify,
			XDSSAN:             opts.XDSSAN,
			GrpcOpts:           grpcOpts,
		},
	}, nil)
	if err != nil {
		return nil, fmt.Errorf("could not dial: %w", err)
	}
	err = adscConn.Run()

		CaCert:                  opts.TLS.CaCert,
		CertFile:                opts.TLS.CertFile,
		KeyFile:                 opts.TLS.KeyFile,
		CaCertFile:              opts.TLS.CaCertFile,
		InsecureSkipVerify:      opts.TLS.InsecureSkipVerify,
		Alpn:                    getProtoALPN(opts.TLS.Alpn),
		FollowRedirects:         opts.HTTP.FollowRedirects,
		ServerName:              opts.TLS.ServerName,

		"send http requests as HTTP2 with prior knowledge")
	rootCmd.PersistentFlags().BoolVar(&http3, "http3", false,
		"send http requests as HTTP 3")
	rootCmd.PersistentFlags().BoolVarP(&insecureSkipVerify, "insecure-skip-verify", "k", insecureSkipVerify,
		"do not verify TLS")
	rootCmd.PersistentFlags().BoolVar(&serverFirst, "server-first", false,
		"Treat as a server first protocol; do not send request until magic string is received")

// credentials and mapping client certificates to S3 policies.
type Config struct {
	Enabled bool `json:"enabled"`

	// InsecureSkipVerify, if set to true, disables the client
	// certificate verification. It should only be set for
	// debugging or testing purposes.
	InsecureSkipVerify bool `json:"skip_verify"`
}

const (
	defaultExpiry time.Duration = 1 * time.Hour
	minExpiry     time.Duration = 15 * time.Minute

	// CertDir is the local directory containing certificates
	CertDir string

	// Timeout is how long to wait before giving up on XDS
	Timeout time.Duration

	// InsecureSkipVerify skips client verification the server's certificate chain and host name.
	InsecureSkipVerify bool

	// XDSSAN is the expected Subject Alternative Name of the XDS server
	XDSSAN string

	// Plaintext forces plain text communication (for talking to port 15010)