PluginLogLevel string
	// The file mode to set when creating the kubeconfig file
	KubeconfigMode int
	// CA file for kubeconfig
	KubeCAFile string
	// Whether to use insecure TLS in the kubeconfig file
	SkipTLSVerify bool

	// Comma-separated list of K8S namespaces that CNI should ignore
	ExcludeNamespaces string

	// KUBERNETES_SERVICE_PROTOCOL
	K8sServiceProtocol string

  fun setUp() {
    platform.assumeConscrypt()
  }

  val context: SSLContext by lazy {
    val provider: Provider = Conscrypt.newProviderBuilder().provideTrustManager(true).build()

    SSLContext.getInstance("TLS", provider).apply {
      init(null, null, null)
    }
  }

  @ParameterizedTest
  @MethodSource("data")
  fun testMatchesSupportedSocket(adapter: SocketAdapter) {
    val socketFactory = context.socketFactory

import assertk.assertions.isEqualTo
import assertk.assertions.isNull
import java.io.IOException
import java.security.cert.Certificate
import kotlin.test.assertFailsWith
import okhttp3.Handshake.Companion.handshake
import okhttp3.tls.HeldCertificate
import org.junit.jupiter.api.Test

class HandshakeTest {
  val serverRoot =
    HeldCertificate.Builder()
      .certificateAuthority(1)
      .build()
  val serverIntermediate =

    between user agents and the origin server.

 *  **TLS configuration updated.** OkHttp now explicitly enables TLSv1.2,
    TLSv1.1 and TLSv1.0 where they are supported. It will continue to perform
    only one fallback, to SSLv3. Applications can now configure this with the
    `ConnectionSpec` class.

    To disable TLS fallback:

    ```java
    client.setConnectionSpecs(Arrays.asList(

import javax.net.ssl.SSLHandshakeException
import javax.net.ssl.SSLSocket
import okhttp3.ConnectionSpec
import okhttp3.OkHttpClientTestRule
import okhttp3.TestValueFactory
import okhttp3.TlsVersion
import okhttp3.tls.internal.TlsUtil.localhost
import org.junit.jupiter.api.AfterEach
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.extension.RegisterExtension

class RetryConnectionTest {

		"Skip server certificate and domain verification. (NOT SECURE!)")
	cmd.PersistentFlags().BoolVar(&o.Plaintext, "plaintext", viper.GetBool("PLAINTEXT"),
		"Use plain-text HTTP/2 when connecting to server (no TLS).")
}

// ValidateControlPlaneFlags checks arguments for valid values and combinations
func (o *CentralControlPlaneOptions) ValidateControlPlaneFlags() error {
	if o.Xds != "" && o.XdsPodLabel != "" {

import okhttp3.internal.platform.AndroidPlatform
import okhttp3.internal.platform.Platform
import okhttp3.logging.LoggingEventListener
import okhttp3.testing.PlatformRule
import okhttp3.tls.HandshakeCertificates
import okhttp3.tls.internal.TlsUtil.localhost
import okio.ByteString.Companion.toByteString
import org.bouncycastle.jce.provider.BouncyCastleProvider
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

### Inbound

Traffic entering a pod over HBONE will be handled by the "inbound" code path, on port 15008.

Incoming requests have multiple "layers": TLS wrapping HTTP CONNECT that is wrapping the user's connection.

To unwrap the first layer, we terminate TLS.
As part of this, we need to pick the correct certificate to serve on behalf of the destination workload.
As discussed in [HBONE](#hbone), this is based on the destination IP.

import org.mockserver.logging.MockServerLogger
import org.mockserver.model.HttpRequest.request
import org.mockserver.model.HttpResponse.response
import org.mockserver.proxyconfiguration.ProxyConfiguration
import org.mockserver.socket.tls.KeyStoreFactory
import org.testcontainers.containers.MockServerContainer
import org.testcontainers.junit.jupiter.Container
import org.testcontainers.junit.jupiter.Testcontainers

@Testcontainers
class BasicProxyTest {

- **Focus**:
  1. Authentication and authorization mechanisms.
  1. Interaction between security components and Istio control plane.
  1. Validation of mutual TLS (mTLS) configurations.
  1. Testing of JWT token validation and RBAC policies.
  1. Validation of certificate management and rotation.