}

// hasCustomTLSCerts returns the tls cert paths, used both if custom TLS certificates are configured via args or by mounting in well known.
// while tls args should still take precedence the aim is to encourage loading the DNS tls cert in the well known path locations.
func hasCustomTLSCerts(tlsOptions TLSOptions) (ok bool, tlsCertPath, tlsKeyPath, caCertPath string) {
	// load from tls args as priority
	if hasCustomTLSCertArgs(tlsOptions) {

		if tls.CaCrl != "" || tls.ServerCertificate != "" || tls.PrivateKey != "" || tls.CaCertificates != "" || tls.CredentialName != "" {
			// Warn for backwards compatibility
			v = AppendWarningf(v, "%v mode does not use certificates, they will be ignored", tls.Mode)
		}
	}

	if (tls.Mode == networking.ServerTLSSettings_SIMPLE || tls.Mode == networking.ServerTLSSettings_MUTUAL ||

#
# Assumed vars:
#   REPLICA_NAME
#   PROJECT
#   EXISTING_MASTER_NAME
#   EXISTING_MASTER_ZONE
#
# $1: etcd client port
# $2: etcd internal port
# $3: whether etcd communication should use mtls
# returns the result of ssh command which adds replica
function add-replica-to-etcd() {
  local -r client_port="${1}"
  local -r internal_port="${2}"
  local -r use_mtls="${3}"

  TLSARG=""

	// Types that are assignable to Destination:
	//
	//	*GatewayAddress_Hostname
	//	*GatewayAddress_Address
	Destination isGatewayAddress_Destination `protobuf_oneof:"destination"`
	// port to reach the gateway at for mTLS HBONE connections
	HboneMtlsPort uint32 `protobuf:"varint,3,opt,name=hbone_mtls_port,json=hboneMtlsPort,proto3" json:"hbone_mtls_port,omitempty"`
}

func (x *GatewayAddress) Reset() {
	*x = GatewayAddress{}

// license that can be found in the LICENSE file.

// Package tls partially implements TLS 1.2, as specified in RFC 5246,
// and TLS 1.3, as specified in RFC 8446.
package tls

// BUG(agl): The crypto/tls package only implements some countermeasures
// against Lucky13 attacks on CBC-mode encryption, and only on SHA1
// variants. See http://www.isg.rhul.ac.uk/tls/TLStiming.pdf and
// https://www.imperialviolet.org/2013/02/04/luckythirteen.html.

}

func newTLSConfig(getCert certs.GetCertificateFunc) *tls.Config {
	if getCert == nil {
		return nil
	}

	tlsConfig := &tls.Config{
		PreferServerCipherSuites: true,
		MinVersion:               tls.VersionTLS12,
		NextProtos:               []string{"http/1.1", "h2"},
		GetCertificate:           getCert,
		ClientSessionCache:       tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
	}

	}

	stsTLSConfig, err := xtls.Lookup(s[config.IdentityTLSSubSys][config.Default])
	if err != nil {
		iamLogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err), logger.WarningKind)
	}

	if stsTLSConfig.InsecureSkipVerify {
		iamLogIf(ctx, fmt.Errorf("Enabling %s is not recommended in a production environment", xtls.EnvIdentityTLSSkipVerify), logger.WarningKind)
	}

            `tf.function`, and graph modes. This gets rid of the need for users
            to manually call `Model._set_inputs` when using Custom Training
            Loops(CTLs).
        *   Dynamic shapes are supported for generators by calling the Model on
            the first batch we "peek" from the generator. This used to happen