}
			time.Sleep(nextSleep)
		}
	}

	// Get the google.com chain, which should be valid on all platforms we
	// are testing
	c, err := tls.Dial("tcp", "google.com:443", &tls.Config{InsecureSkipVerify: true})
	if err != nil {
		t.Fatalf("tls connection failed: %s", err)
	}
	googChain := c.ConnectionState().PeerCertificates

	rootTmpl := &x509.Certificate{
		SerialNumber:          big.NewInt(1),

func testVerifyCertificates(t *testing.T, version uint16) {
	tests := []struct {
		name string

		InsecureSkipVerify bool
		ClientAuth         ClientAuthType
		ClientCertificates bool
	}{
		{
			name: "defaults",
		},
		{
			name:               "InsecureSkipVerify",
			InsecureSkipVerify: true,
		},
		{
			name:       "RequestClientCert with no certs",
			ClientAuth: RequestClientCert,

	certPool := x509.NewCertPool()
	ok := certPool.AppendCertsFromPEM(rootCert)
	if !ok {
		return nil, fmt.Errorf("failed to append certificates")
	}
	config := tls.Config{
		RootCAs:            certPool,
		InsecureSkipVerify: true, // nolint: gosec // test only code
	}
	transportCreds := credentials.NewTLS(&config)

	conn, err := grpc.Dial(endpoint, grpc.WithTransportCredentials(transportCreds))
	if err != nil {

	}

	if req.URL.Scheme == "https+insecure" {
		// Make shallow copy of request, and req.URL, so the request's URL can be
		// modified.
		r := *req
		*r.URL = *req.URL
		req = &r
		tlsConfig.InsecureSkipVerify = true
		req.URL.Scheme = "https"
	}

	transport := http.Transport{
		Proxy:           http.ProxyFromEnvironment,
		TLSClientConfig: tlsConfig,
	}

	return transport.RoundTrip(req)

	servers := sets.NewString(storageConfig.Transport.ServerList...)

	for _, overrides := range grOverrides {
		servers.Insert(overrides.etcdLocation...)
	}

	tlsConfig := &tls.Config{
		InsecureSkipVerify: true,
	}
	if len(storageConfig.Transport.CertFile) > 0 && len(storageConfig.Transport.KeyFile) > 0 {
		cert, err := tls.LoadX509KeyPair(storageConfig.Transport.CertFile, storageConfig.Transport.KeyFile)

// If disabled, redirects to other hosts will trigger a warning result.
func New(followNonLocalRedirects bool) Prober {
	tlsConfig := &tls.Config{InsecureSkipVerify: true}
	return NewWithTLSConfig(tlsConfig, followNonLocalRedirects)
}

// NewWithTLSConfig takes tls config as parameter.

func (s ConnSettings) NewRemoteTargetHTTPTransport(insecure bool) func() *http.Transport {
	tr := s.getDefaultTransport(0)

	tr.TLSHandshakeTimeout = 10 * time.Second
	tr.ResponseHeaderTimeout = 0
	tr.TLSClientConfig.InsecureSkipVerify = insecure

	return func() *http.Transport {
		return tr
	}

func (c *Conn) makeClientHello() (*clientHelloMsg, *keySharePrivateKeys, *echContext, error) {
	config := c.config
	if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
		return nil, nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
	}

	nextProtosLength := 0
	for _, proto := range config.NextProtos {
		if l := len(proto); l == 0 || l > 255 {

	}
	transport := http.DefaultTransport.(*http.Transport).Clone()
	// nolint: gosec
	// This is only when a user explicitly sets a flag to enable insecure mode
	transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
	return &HTTPFetcher{
		client: &http.Client{
			Timeout: requestTimeout,
		},
		insecureClient: &http.Client{
			Timeout:   requestTimeout,
			Transport: transport,
		},

	Cert, Key, CaCert string

	// Use the custom certificates file to make the call.
	CertFile, KeyFile, CaCertFile string

	// Skip verify peer's certificate.
	InsecureSkipVerify bool

	Alpn       []string
	ServerName string
}

type HBONE struct {
	Address string
	Headers http.Header
	// If non-empty, make the request with the corresponding cert and key.
	Cert string