return
		}
		if sse, err = encrypt.NewSSEC(clientKey[:]); err != nil {
			return
		}
		opts.ServerSideEncryption = sse
		return
	}
	if crypto.S3.IsRequested(header) || (metadata != nil && crypto.S3.IsEncrypted(metadata)) {
		opts.ServerSideEncryption = encrypt.NewSSE()
	}

	return
}

// get ObjectOptions for GET calls from encryption headers

		Dsc:                  dsc,
		ExistingObjResync:    existingObjResync,
		TargetStatuses:       tgtStatuses,
		TargetPurgeStatuses:  purgeStatuses,
		ReplicationTimestamp: tm,
		SSEC:                 crypto.SSEC.IsEncrypted(oi.UserDefined),
		UserTags:             oi.UserTags,
	}
	if r.SSEC {
		r.Checksum = oi.Checksum
	}
	return r
}

      MockResponse
        .Builder()
        .inTunnel()
        .build(),
    )
    server.enqueue(MockResponse(body = "encrypted response from the origin server"))
    client =
      client
        .newBuilder()
        .proxy(server.proxyAddress)
        .sslSocketFactory(
          handshakeCertificates.sslSocketFactory(),
          handshakeCertificates.trustManager,

    /** Queries field name. */
    public static final String QUERIES = "queries";

    /** Virtual hosts field name. */
    public static final String VIRTUAL_HOSTS = "virtualHosts";

    /** Prefix for encrypted/ciphered values. */
    public static final String CIPHER_PREFIX = "{cipher}";

    /** System user identifier. */
    public static final String SYSTEM_USER = "system";

    /** Empty user ID placeholder. */

  * More reliable kube-up/kube-down
  * Enable ICMP Type 3 Code 4 for ELBs
  * ARP caching fix
  * Use /dev/xvdXX names
  * ELB:
    * ELB proxy protocol support 
	* mixed plaintext/encrypted ports support in ELBs
    * SSL support for ELB listeners
  * Allow VPC CIDR to be specified (experimental)
  * Fix problems with >2 security groups
* GCP:
  * Enable using gcr.io as a Docker registry mirror.

            dgst.update(oldHash);
        }
        dgst.update(input, off, len);
        return dgst.digest();
    }

    /**
     * Create encryption context for SMB3 encrypted communication
     *
     * @param sessionKey the session key from GSS-API authentication
     * @param preauthHash the pre-authentication integrity hash (SMB 3.1.1 only)
     * @return encryption context

		PreserveETag: srcObjInfo.ETag,
		UserDefined:  srcObjInfo.UserDefined,
	}
	if r.Target.Type == BatchJobReplicateResourceS3 || r.Source.Type == BatchJobReplicateResourceS3 {
		opts.VersionID = ""
	}
	if crypto.S3.IsEncrypted(srcObjInfo.UserDefined) {
		opts.ServerSideEncryption = encrypt.NewSSE()
	}
	slc := strings.Split(srcObjInfo.ETag, "-")
	if len(slc) == 2 {
		partsCount, err := strconv.Atoi(slc[1])
		if err != nil {

				return
			}

			wantSize := int64(-1)
			if actualSize >= 0 {
				info := ObjectInfo{Size: actualSize}
				wantSize = info.EncryptedSize()
			}

			// do not try to verify encrypted content/
			hashReader, err = hash.NewReader(ctx, reader, wantSize, "", "", actualSize)
			if err != nil {
				writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
				return
			}

		HTTPStatusCode: http.StatusNotFound,
	},
	ErrInsecureClientRequest: {
		Code:           "XMinioInsecureClientRequest",
		Description:    "Cannot respond to plain-text request from TLS-encrypted server",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrRequestTimedout: {
		Code:           "RequestTimeout",

	// clean up the temporary test backend.
	removeRoots(append(erasureDisks, fsDir))
}

// ExecExtendedObjectLayerTest will execute the tests with combinations of encrypted & compressed.
// This can be used to test functionality when reading and writing data.
func ExecExtendedObjectLayerAPITest(t *testing.T, objAPITest objAPITestType, endpoints []string) {