xldap "github.com/minio/minio/internal/config/identity/ldap"
	"github.com/minio/minio/internal/config/identity/openid"
	idplugin "github.com/minio/minio/internal/config/identity/plugin"
	xtls "github.com/minio/minio/internal/config/identity/tls"
	"github.com/minio/minio/internal/config/ilm"
	"github.com/minio/minio/internal/config/lambda"
	"github.com/minio/minio/internal/config/notify"
	"github.com/minio/minio/internal/config/policy/opa"

}

func newTLSConfig(getCert certs.GetCertificateFunc) *tls.Config {
	if getCert == nil {
		return nil
	}

	tlsConfig := &tls.Config{
		PreferServerCipherSuites: true,
		MinVersion:               tls.VersionTLS12,
		NextProtos:               []string{"http/1.1", "h2"},
		GetCertificate:           getCert,
		ClientSessionCache:       tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
	}

	}

	stsTLSConfig, err := xtls.Lookup(s[config.IdentityTLSSubSys][config.Default])
	if err != nil {
		iamLogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err), logger.WarningKind)
	}

	if stsTLSConfig.InsecureSkipVerify {
		iamLogIf(ctx, fmt.Errorf("Enabling %s is not recommended in a production environment", xtls.EnvIdentityTLSSkipVerify), logger.WarningKind)
	}

			return cipherSuite
		}
	}
	return nil
}

// A list of cipher suite IDs that are, or have been, implemented by this
// package.
//
// See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml
const (
	// TLS 1.0 - 1.2 cipher suites.
	TLS_RSA_WITH_RC4_128_SHA                      uint16 = 0x0005
	TLS_RSA_WITH_3DES_EDE_CBC_SHA                 uint16 = 0x000a

)

// TLS signaling cipher suite values
const (
	scsvRenegotiation uint16 = 0x00ff
)

// CurveID is the type of a TLS identifier for a key exchange mechanism. See
// https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8.
//
// In TLS 1.2, this registry used to support only elliptic curves. In TLS 1.3,

    hostname: "other.example"
    port: 34000
    protocol: HTTPS
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      certificateRefs:
      - name: my-cert-http
      options:
        gateway.istio.io/tls-terminate-mode: MUTUAL
  - name: terminate-istio-mtls
    hostname: "egress.example"
    port: 34000
    protocol: HTTPS
    allowedRoutes:
      namespaces:

metadata:
  annotations:
    internal.istio.io/parents: TLSRoute/tls-match.default
    internal.istio.io/route-semantics: gateway
  creationTimestamp: null
  name: tls-match-tls-0-istio-autogenerated-k8s-gateway
  namespace: default
spec:
  gateways:
  - istio-system/gateway-istio-autogenerated-k8s-gateway-passthrough
  hosts:
  - foo.com
  tls:
  - match:
    - sniHosts:
      - foo.com
    route:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-mtls-for-egress-gateway
spec:
  host: {{ .EgressGatewayServiceName | default "istio-egressgateway" }}.{{ .EgressGatewayServiceNamespace | default "istio-system" }}.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 443
      name: mtls-tcp
      protocol: TLS
    hosts:
    - fake.external.com
    tls:

metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: "{{ .To.ServiceName }}"
  mtls:
    mode: STRICT
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: {{ .To.ServiceName }}
spec:
  host: "{{ .To.ClusterLocalFQDN }}"
  trafficPolicy:
    tls: