env:
    # Setup more secure default that is off in 'default' only for backwards compatibility
    VERIFY_CERTIFICATE_AT_CLIENT: "true"
    ENABLE_AUTO_SNI: "true"

    PILOT_ENABLE_HBONE: "true"
    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
    PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
cni:
  logLevel: info
  ambient:
    enabled: true

  env:
    # Setup more secure default that is off in 'default' only for backwards compatibility
    VERIFY_CERTIFICATE_AT_CLIENT: "true"
    ENABLE_AUTO_SNI: "true"

    PILOT_ENABLE_HBONE: "true"
    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
    PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
cni:
  logLevel: info
  ambient:
    enabled: true

  env:
    # Setup more secure default that is off in 'default' only for backwards compatibility
    VERIFY_CERTIFICATE_AT_CLIENT: "true"
    ENABLE_AUTO_SNI: "true"

    PILOT_ENABLE_HBONE: "true"
    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
    PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
variant: distroless
seLinuxOptions:

  env:
    PILOT_ENABLE_AMBIENT: "true"
    # Allow sidecars/ingress to send/receive HBONE. This is required for interop.
    PILOT_ENABLE_SENDING_HBONE: "true"
    PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true"
    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
variant: distroless
seLinuxOptions:

  env:
    PILOT_ENABLE_AMBIENT: "true"
    # Allow sidecars/ingress to send/receive HBONE. This is required for interop.
    PILOT_ENABLE_SENDING_HBONE: "true"
    PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true"
    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
variant: distroless
seLinuxOptions:

import okhttp3.internal.toCanonicalHost
import okio.ByteString
import okio.ByteString.Companion.decodeBase64
import okio.ByteString.Companion.toByteString

/**
 * Constrains which certificates are trusted. Pinning certificates defends against attacks on
 * certificate authorities. It also prevents connections through man-in-the-middle certificate
 * authorities either known or unknown to the application's user.

              // does nothing but delegate to this method.
              AbstractFuture<?> trusted = (AbstractFuture<?>) futureToPropagateTo;
              localValue = trusted.value;
              if (localValue == null | localValue instanceof SetFuture) {
                abstractFuture = trusted;
                continue; // loop back up and try to complete the new future
              }
            } else {

   *
   * This class exploits knowledge of Android implementation details. This class is potentially
   * much faster to initialize than [BasicTrustRootIndex] because it doesn't need to load and
   * index trusted CA certificates.
   */
  internal data class CustomTrustRootIndex(
    private val trustManager: X509TrustManager,
    private val findByIssuerAndSignatureMethod: Method,
  ) : TrustRootIndex {

		return
	}

	certificate := r.TLS.PeerCertificates[0]
	if !globalIAMSys.STSTLSConfig.InsecureSkipVerify { // Verify whether the client certificate has been issued by a trusted CA.
		_, err := certificate.Verify(x509.VerifyOptions{
			KeyUsages: []x509.ExtKeyUsage{
				x509.ExtKeyUsageClientAuth,
			},
			Roots: globalRootCAs,
		})
		if err != nil {

    version of the library.

5.  Our classes are not designed to protect against a malicious caller. You
    should not use them for communication between trusted and untrusted code.

6.  For the mainline flavor, we test the libraries using OpenJDK 8, 11, and 17
    on Linux, with some additional testing on newer JDKs and on Windows. Some