.build()
    val request2 = Request.Builder().url(server.url("/")).build()
    val response2 = client.newCall(request2).execute()
    assertThat(response1.handshake).isNotSameAs(
      response2.handshake,
    )
    response2.body.close()
  }

  @Test
  fun unmatchingPinnedCertificate() {
    enableTls()
    server.enqueue(MockResponse())

	})
	t.Run("ROOT CA change", func(t *testing.T) {
		dir := mktemp()
		rootCertFileName := "root-cert.pem"

		// use a invalid root cert, XDS will fail with `authentication handshake failed`
		localRootCert := filepath.Join(env.IstioSrc, "./tests/testdata/local/etc/certs/root-cert.pem")
		if err := file.Copy(localRootCert, dir, rootCertFileName); err != nil {
			t.Fatalf("failed to init root CA: %v", err)

			ts.Config.WriteTimeout = timeout
			t.Logf("Server.Config.WriteTimeout = %v", timeout)
		})

		// The server's WriteTimeout parameter also applies to reads during the TLS
		// handshake. The client makes the last write during the handshake, and if
		// the server happens to time out during the read of that write, the client
		// may think that the connection was accepted even though the server thinks
		// it timed out.
		//

}

func (srv *Server) initialReadLimitSize() int64 {
	return int64(srv.maxHeaderBytes()) + 4096 // bufio slop
}

// tlsHandshakeTimeout returns the time limit permitted for the TLS
// handshake, or zero for unlimited.
//
// It returns the minimum of any positive ReadHeaderTimeout,
// ReadTimeout, or WriteTimeout.
func (srv *Server) tlsHandshakeTimeout() time.Duration {
	var ret time.Duration

	// cgo), to make sure none of that potential C code leaks fds.
	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
	// quiet expected TLS handshake error "remote error: bad certificate"
	ts.Config.ErrorLog = log.New(io.Discard, "", 0)
	ts.StartTLS()
	defer ts.Close()
	_, err = http.Get(ts.URL)
	if err == nil {

                      CACertificateRefs contains one or more references to Kubernetes objects that
                      contain a PEM-encoded TLS CA certificate bundle, which is used to
                      validate a TLS handshake between the Gateway and backend Pod.


                      If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be

...

...

	if newf != nil {
		newf(sc)
	}

	s.state.registerConn(sc)
	defer s.state.unregisterConn(sc)

	// The net/http package sets the write deadline from the
	// http.Server.WriteTimeout during the TLS handshake, but then
	// passes the connection off to us with the deadline already set.
	// Write deadlines are set per stream in serverConn.newStream.
	// Disarm the net.Conn write deadline here.
	if sc.hs.WriteTimeout > 0 {