HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSInvalidClientCertificate: {
		Code:           "InvalidClientCertificate",
		Description:    "The provided client certificate is invalid. Retry with a different certificate.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSNotInitialized: {
		Code:           "STSNotInitialized",
		Description:    "STS API not initialized, please try again.",

     * a line containing the cipher suite. Next is the length of the peer certificate chain. These
     * certificates are base64-encoded and appear each on their own line. The next line contains the
     * length of the local certificate chain. These certificates are also base64-encoded and appear
     * each on their own line. A length of -1 is used to encode a null array. The last line is

CERTIFICATE NAME                                         TYPE     STATUS           VALID CERT     SERIAL NUMBER                        NOT AFTER                NOT BEFORE
spiffe://cluster.local/ns/istio-system/sa/istiod         Leaf     Available        true           e5dfb59150b2ba7f108d93dcec5aa613     2033-03-22T13:04:57Z     2023-03-21T13:02:57Z

pilot:
  env:
    # 1.21 behavioral changes
    ENABLE_EXTERNAL_NAME_ALIAS: "false"
    PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
    VERIFY_CERTIFICATE_AT_CLIENT: "false"
    ENABLE_AUTO_SNI: "false"

    # 1.22 behavioral changes
    ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"

meshConfig:
  # 1.22 behavioral changes
  defaultConfig:
    proxyMetadata:
      ISTIO_DELTA_XDS: "false"
    tracing:

setting](/pkg/runtime#hdr-Environment_Variable). These stack traces have
non-standard semantics, see setting documentation for details.

Go 1.22 added a new [`crypto/x509.Certificate`](/pkg/crypto/x509/#Certificate)
field, [`Policies`](/pkg/crypto/x509/#Certificate.Policies), which supports
certificate policy OIDs with components larger than 31 bits. By default this
field is only used during parsing, when it is populated with policy OIDs, but

pilot:
  env:
    # 1.21 behavioral changes
    ENABLE_EXTERNAL_NAME_ALIAS: "false"
    PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
    VERIFY_CERTIFICATE_AT_CLIENT: "false"
    ENABLE_AUTO_SNI: "false"

    # 1.22 behavioral changes
    ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"

meshConfig:
  # 1.22 behavioral changes
  defaultConfig:
    proxyMetadata:

pilot:
  env:
    # 1.21 behavioral changes
    ENABLE_EXTERNAL_NAME_ALIAS: "false"
    PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
    VERIFY_CERTIFICATE_AT_CLIENT: "false"
    ENABLE_AUTO_SNI: "false"

    # 1.22 behavioral changes
    ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"

meshConfig:
  # 1.22 behavioral changes
  defaultConfig:
    proxyMetadata:

    if (routes == null || !routeMatchesAny(routes)) return false

    // 3. This connection's server certificate's must cover the new host.
    if (address.hostnameVerifier !== OkHostnameVerifier) return false
    if (!supportsUrl(address.url)) return false

    // 4. Certificate pinning must match the host.
    try {
      address.certificatePinner!!.check(address.url.host, handshake()!!.peerCertificates)

      mountPath: /var/run/secrets/workload-spiffe-uds
    - name: credential-socket
      mountPath: /var/run/secrets/credential-uds
    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
    - name: gke-workload-certificate
      mountPath: /var/run/secrets/workload-spiffe-credentials
      readOnly: true
    {{- else }}
    - name: workload-certs
      mountPath: /var/run/secrets/workload-spiffe-credentials
    {{- end }}

	DescribeIdentity(ctx context.Context, identity string) (*kes.IdentityInfo, error)

	// DescribeSelfIdentity describes the identity issuing the request.
	// It infers the identity from the TLS client certificate used to authenticate.
	// It returns the identity and policy information for the client identity.
	DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo, *kes.Policy, error)

	// ListIdentities lists all identities.