From 6a0c2216fdfb4b44cfb683fd11ea2dd7859a1025 Mon Sep 17 00:00:00 2001
From: Matt Klein <mklein@lyft.com>
Date: Sat, 22 Jun 2019 10:41:23 -0700
Subject: [PATCH 1/5] forward proxy: per host SNI and SAN verification

1) Implement auto SAN/SNI setting on a per-host basis.
2) Cleanup some v1 config translation.

Part of https://github.com/envoyproxy/envoy/issues/1606

Signed-off-by: Matt Klein <mklein@lyft.com>
---
 .../dynamic_forward_proxy_filter.rst          |  10 +-
 .../intro/arch_overview/http/http_proxy.rst   |   2 +
 include/envoy/upstream/upstream.h             |   1 -
 source/common/config/tls_context_json.cc      |  14 --
 source/common/config/tls_context_json.h       |   9 --
 .../clusters/dynamic_forward_proxy/cluster.cc | 142 ++++++++++++++++--
 .../clusters/dynamic_forward_proxy/cluster.h  |   5 +
 .../common/dynamic_forward_proxy/dns_cache.h  |   6 +
 .../dynamic_forward_proxy/dns_cache_impl.cc   |  22 ++-
 .../dynamic_forward_proxy/dns_cache_impl.h    |  11 +-
 .../tls/context_config_impl.cc                |  11 --
 .../tls/context_config_impl.h                 |   3 -
 test/config/integration/certs/cacert.pem      |  42 +++---
 test/config/integration/certs/cakey.pem       |  50 +++---
 .../integration/certs/client_ecdsacert.pem    |  40 ++---
 .../integration/certs/client_ecdsacert_hash.h |   4 +-
 .../integration/certs/client_ecdsakey.pem     |   6 +-
 test/config/integration/certs/clientcert.pem  |  48 +++---
 .../integration/certs/clientcert_hash.h       |   4 +-
 test/config/integration/certs/clientkey.pem   |  50 +++---
 .../integration/certs/server_ecdsacert.pem    |  40 ++---
 .../integration/certs/server_ecdsacert_hash.h |   4 +-
 .../integration/certs/server_ecdsakey.pem     |   6 +-
 test/config/integration/certs/servercert.pem  |  48 +++---
 .../integration/certs/servercert_hash.h       |   4 +-
 test/config/integration/certs/serverkey.pem   |  50 +++---
 .../integration/certs/upstreamcacert.pem      |  43 +++---
 .../integration/certs/upstreamcakey.pem       |  50 +++---
 .../config/integration/certs/upstreamcert.cfg |   1 +
 .../config/integration/certs/upstreamcert.pem |  46 +++---
 .../integration/certs/upstreamcert_hash.h     |   4 +-
 test/config/integration/certs/upstreamkey.pem |  50 +++---
 .../common/dynamic_forward_proxy/mocks.h      |   1 +
 .../filters/http/dynamic_forward_proxy/BUILD  |   3 +
 .../proxy_filter_integration_test.cc          |  68 ++++++++-
 test/integration/xfcc_integration_test.cc     |  16 +-
 36 files changed, 542 insertions(+), 372 deletions(-)

diff --git a/docs/root/configuration/http_filters/dynamic_forward_proxy_filter.rst b/docs/root/configuration/http_filters/dynamic_forward_proxy_filter.rst
index 80c569ae5a3e3..a627ce3d21202 100644
--- a/docs/root/configuration/http_filters/dynamic_forward_proxy_filter.rst
+++ b/docs/root/configuration/http_filters/dynamic_forward_proxy_filter.rst
@@ -25,14 +25,12 @@ HTTP dynamic forward proxy.
   <envoy_api_field_core.Http1ProtocolOptions.allow_absolute_url>` parameter has been set to true
   to allow Envoy to proxy absolute HTTP URLs.
 
-.. attention::
+.. note::
 
-  While configuring a :ref:`tls_context <envoy_api_field_Cluster.tls_Context>` on the cluster with
+  Configuring a :ref:`tls_context <envoy_api_field_Cluster.tls_Context>` on the cluster with
   *trusted_ca* certificates instructs Envoy to use TLS when connecting to upstream hosts and verify
-  the certificate chain, currently it is not possible to configure per-host TLS configuration
-  parameters including SNI, subject alt name verification, etc. This will be added in a future
-  change. **This means that the following configuration will not fully validate TLS certificates**.
-  Use with care until full support for per-host validation is implemented.
+  the certificate chain. Additionally, Envoy will automatically perform SAN verification for the
+  resolved host name as well as specify the host name via SNI.
 
 .. code-block:: yaml
 
diff --git a/docs/root/intro/arch_overview/http/http_proxy.rst b/docs/root/intro/arch_overview/http/http_proxy.rst
index 496feab8c5709..2ed691203abb4 100644
--- a/docs/root/intro/arch_overview/http/http_proxy.rst
+++ b/docs/root/intro/arch_overview/http/http_proxy.rst
@@ -27,6 +27,8 @@ follows:
 * A special load balancer will select the right host to use based on the HTTP host/authority header
   during forwarding.
 * Hosts that have not been used for a period of time are subject to a TTL that will purge them.
+* When the upstream cluster has been configured with a TLS context, Envoy will automatically perform
+  SAN verification for the resolved host name as well as specify the host name via SNI.
 
 The above implementation details mean that at steady state Envoy can forward a large volume of
 HTTP proxy traffic while all DNS resolution happens asynchronously in the background. Additionally,
diff --git a/include/envoy/upstream/upstream.h b/include/envoy/upstream/upstream.h
index 567466c18ebc8..79bb3c063f02d 100644
--- a/include/envoy/upstream/upstream.h
+++ b/include/envoy/upstream/upstream.h
@@ -843,7 +843,6 @@ class ClusterInfo {
    */
   virtual absl::optional<std::string> eds_service_name() const PURE;
 
-protected:
   /**
    * Invoked by extensionProtocolOptionsTyped.
    * @param name std::string containing the well-known name of the extension for which protocol
diff --git a/source/common/config/tls_context_json.cc b/source/common/config/tls_context_json.cc
index 6072c55b2a772..fece59b47676c 100644
--- a/source/common/config/tls_context_json.cc
+++ b/source/common/config/tls_context_json.cc
@@ -9,20 +9,6 @@
 namespace Envoy {
 namespace Config {
 
-void TlsContextJson::translateDownstreamTlsContext(
-    const Json::Object& json_tls_context,
-    envoy::api::v2::auth::DownstreamTlsContext& downstream_tls_context) {
-  translateCommonTlsContext(json_tls_context, *downstream_tls_context.mutable_common_tls_context());
-  JSON_UTIL_SET_BOOL(json_tls_context, downstream_tls_context, require_client_certificate);
-
-  const std::vector<std::string> paths =
-      json_tls_context.getStringArray("session_ticket_key_paths", true);
-  for (const std::string& path : paths) {
-    downstream_tls_context.mutable_session_ticket_keys()->mutable_keys()->Add()->set_filename(path);
-  }
-  MessageUtil::validate(downstream_tls_context);
-}
-
 void TlsContextJson::translateUpstreamTlsContext(
     const Json::Object& json_tls_context,
     envoy::api::v2::auth::UpstreamTlsContext& upstream_tls_context) {
diff --git a/source/common/config/tls_context_json.h b/source/common/config/tls_context_json.h
index 53a1a14afe75d..1eb9cbc1139d3 100644
--- a/source/common/config/tls_context_json.h
+++ b/source/common/config/tls_context_json.h
@@ -8,15 +8,6 @@ namespace Config {
 
 class TlsContextJson {
 public:
-  /**
-   * Translate a v1 JSON TLS context to v2 envoy::api::v2::auth::DownstreamTlsContext.
-   * @param json_tls_context source v1 JSON TLS context object.
-   * @param downstream_tls_context destination v2 envoy::api::v2::Cluster.
-   */
-  static void
-  translateDownstreamTlsContext(const Json::Object& json_tls_context,
-                                envoy::api::v2::auth::DownstreamTlsContext& downstream_tls_context);
-
   /**
    * Translate a v1 JSON TLS context to v2 envoy::api::v2::auth::UpstreamTlsContext.
    * @param json_tls_context source v1 JSON TLS context object.
diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc
index e67066f9a4447..92560b50f7b59 100644
--- a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc
+++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc
@@ -7,9 +7,97 @@ namespace Extensions {
 namespace Clusters {
 namespace DynamicForwardProxy {
 
-// TODO(mattklein123): Make sure that the cluster's hosts display their host name in admin output.
-// TODO(mattklein123): Allow customizing TLS on a per-host basis. For example, setting SNI and
-//                     doing certificate validation.
+class ClusterInfoWithOverridenTls : public Upstream::ClusterInfo {
+public:
+  ClusterInfoWithOverridenTls(const Upstream::ClusterInfoConstSharedPtr& real_cluster_info,
+                              Network::TransportSocketFactoryPtr&& transport_socket_factory)
+      : real_cluster_info_(real_cluster_info),
+        transport_socket_factory_(std::move(transport_socket_factory)) {}
+
+  // Upstream::ClusterInfo
+  bool addedViaApi() const override { return real_cluster_info_->addedViaApi(); }
+  std::chrono::milliseconds connectTimeout() const override {
+    return real_cluster_info_->connectTimeout();
+  }
+  const absl::optional<std::chrono::milliseconds> idleTimeout() const override {
+    return real_cluster_info_->idleTimeout();
+  }
+  uint32_t perConnectionBufferLimitBytes() const override {
+    return real_cluster_info_->perConnectionBufferLimitBytes();
+  }
+  uint64_t features() const override { return real_cluster_info_->features(); }
+  const Http::Http2Settings& http2Settings() const override {
+    return real_cluster_info_->http2Settings();
+  }
+  const envoy::api::v2::Cluster::CommonLbConfig& lbConfig() const override {
+    return real_cluster_info_->lbConfig();
+  }
+  Upstream::LoadBalancerType lbType() const override { return real_cluster_info_->lbType(); }
+  envoy::api::v2::Cluster::DiscoveryType type() const override {
+    return real_cluster_info_->type();
+  }
+  const absl::optional<envoy::api::v2::Cluster::CustomClusterType>& clusterType() const override {
+    return real_cluster_info_->clusterType();
+  }
+  const absl::optional<envoy::api::v2::Cluster::LeastRequestLbConfig>&
+  lbLeastRequestConfig() const override {
+    return real_cluster_info_->lbLeastRequestConfig();
+  }
+  const absl::optional<envoy::api::v2::Cluster::RingHashLbConfig>&
+  lbRingHashConfig() const override {
+    return real_cluster_info_->lbRingHashConfig();
+  }
+  const absl::optional<envoy::api::v2::Cluster::OriginalDstLbConfig>&
+  lbOriginalDstConfig() const override {
+    return real_cluster_info_->lbOriginalDstConfig();
+  }
+  bool maintenanceMode() const override { return real_cluster_info_->maintenanceMode(); }
+  uint64_t maxRequestsPerConnection() const override {
+    return real_cluster_info_->maxRequestsPerConnection();
+  }
+  const std::string& name() const override { return real_cluster_info_->name(); }
+  Upstream::ResourceManager& resourceManager(Upstream::ResourcePriority priority) const override {
+    return real_cluster_info_->resourceManager(priority);
+  }
+  Network::TransportSocketFactory& transportSocketFactory() const override {
+    return *transport_socket_factory_;
+  }
+  Upstream::ClusterStats& stats() const override { return real_cluster_info_->stats(); }
+  Stats::Scope& statsScope() const override { return real_cluster_info_->statsScope(); }
+  Upstream::ClusterLoadReportStats& loadReportStats() const override {
+    return real_cluster_info_->loadReportStats();
+  }
+  const Network::Address::InstanceConstSharedPtr& sourceAddress() const override {
+    return real_cluster_info_->sourceAddress();
+  }
+  const Upstream::LoadBalancerSubsetInfo& lbSubsetInfo() const override {
+    return real_cluster_info_->lbSubsetInfo();
+  }
+  const envoy::api::v2::core::Metadata& metadata() const override {
+    return real_cluster_info_->metadata();
+  }
+  const Envoy::Config::TypedMetadata& typedMetadata() const override {
+    return real_cluster_info_->typedMetadata();
+  }
+  const Network::ConnectionSocket::OptionsSharedPtr& clusterSocketOptions() const override {
+    return real_cluster_info_->clusterSocketOptions();
+  }
+  bool drainConnectionsOnHostRemoval() const override {
+    return real_cluster_info_->drainConnectionsOnHostRemoval();
+  }
+  bool warmHosts() const override { return real_cluster_info_->warmHosts(); }
+  absl::optional<std::string> eds_service_name() const override {
+    return real_cluster_info_->eds_service_name();
+  }
+  Upstream::ProtocolOptionsConfigConstSharedPtr
+  extensionProtocolOptions(const std::string& name) const override {
+    return real_cluster_info_->extensionProtocolOptions(name);
+  }
+
+private:
+  const Upstream::ClusterInfoConstSharedPtr real_cluster_info_;
+  const Network::TransportSocketFactoryPtr transport_socket_factory_;
+};
 
 Cluster::Cluster(
     const envoy::api::v2::Cluster& cluster,
@@ -21,9 +109,15 @@ Cluster::Cluster(
     Stats::ScopePtr&& stats_scope, bool added_via_api)
     : Upstream::BaseDynamicClusterImpl(cluster, runtime, factory_context, std::move(stats_scope),
                                        added_via_api),
-      dns_cache_manager_(cache_manager_factory.get()),
+      cluster_config_(cluster), dns_cache_manager_(cache_manager_factory.get()),
       dns_cache_(dns_cache_manager_->getCache(config.dns_cache_config())),
       update_callbacks_handle_(dns_cache_->addUpdateCallbacks(*this)), local_info_(local_info),
+      transport_factory_context_(factory_context.admin(), factory_context.sslContextManager(),
+                                 factory_context.statsScope(), factory_context.clusterManager(),
+                                 factory_context.localInfo(), factory_context.dispatcher(),
+                                 factory_context.random(), factory_context.stats(),
+                                 factory_context.singletonManager(), factory_context.threadLocal(),
+                                 factory_context.messageValidationVisitor(), factory_context.api()),
       host_map_(std::make_shared<HostInfoMap>()) {
   // TODO(mattklein123): Technically, we should support attaching to an already warmed DNS cache.
   //                     This will require adding a hosts() or similar API to the cache and
@@ -58,14 +152,15 @@ void Cluster::onDnsHostAddOrUpdate(
   HostInfoMapSharedPtr current_map = getCurrentHostMap();
   const auto host_map_it = current_map->find(host);
   if (host_map_it != current_map->end()) {
-    // If we only have an address change, we can do that swap inline without any other updates. The
-    // appropriate R/W locking is in place to allow this. The details of this locking are:
+    // If we only have an address change, we can do that swap inline without any other updates.
+    // The appropriate R/W locking is in place to allow this. The details of this locking are:
     //  - Hosts are not thread local, they are global.
     //  - We take a read lock when reading the address and a write lock when changing it.
     //  - Address updates are very rare.
-    //  - Address reads are only done when a connection is being made and a "real" host description
-    //    is created or the host is queries via the admin endpoint. Both of these operations are
-    //    relatively rare and the read lock is held for a short period of time.
+    //  - Address reads are only done when a connection is being made and a "real" host
+    //    description is created or the host is queried via the admin endpoint. Both of
+    //    these operations are relatively rare and the read lock is held for a short period
+    //    of time.
     //
     // TODO(mattklein123): Right now the dynamic forward proxy / DNS cache works similar to how
     //                     logical DNS works, meaning that we only store a single address per
@@ -82,10 +177,31 @@ void Cluster::onDnsHostAddOrUpdate(
   }
 
   ENVOY_LOG(debug, "adding new dfproxy cluster host '{}'", host);
+  Upstream::ClusterInfoConstSharedPtr cluster_info_to_use;
+  if (createCustomTlsForHost()) {
+    // Create an override cluster configuration that automatically provides both SNI as well as
+    // SAN verification for the resolved host if the cluster has been configured with TLS.
+    // TODO(mattklein123): The fact that we are copying the cluster config, etc. is not very clean.
+    //                     consider streamlining this in the future.
+    // TODO(mattklein123): If the host is an IP address should we be setting SNI? IP addresses in
+    //                     hosts needs to be revisited so this can be handled in a follow up.
+    envoy::api::v2::Cluster override_cluster = cluster_config_;
+    override_cluster.mutable_tls_context()->set_sni(host_info->resolvedHost());
+    override_cluster.mutable_tls_context()
+        ->mutable_common_tls_context()
+        ->mutable_validation_context()
+        ->add_verify_subject_alt_name(host_info->resolvedHost());
+    cluster_info_to_use = std::make_shared<ClusterInfoWithOverridenTls>(
+        info(),
+        Upstream::createTransportSocketFactory(override_cluster, transport_factory_context_));
+  } else {
+    cluster_info_to_use = info();
+  }
+
   const auto new_host_map = std::make_shared<HostInfoMap>(*current_map);
   const auto emplaced = new_host_map->try_emplace(
       host, host_info,
-      std::make_shared<Upstream::LogicalHost>(info(), host, host_info->address(),
+      std::make_shared<Upstream::LogicalHost>(cluster_info_to_use, host, host_info->address(),
                                               dummy_locality_lb_endpoint_, dummy_lb_endpoint_));
   Upstream::HostVector hosts_added;
   hosts_added.emplace_back(emplaced.first->second.logical_host_);
@@ -95,6 +211,12 @@ void Cluster::onDnsHostAddOrUpdate(
   swapAndUpdateMap(new_host_map, hosts_added, {});
 }
 
+bool Cluster::createCustomTlsForHost() {
+  // TODO(mattklein123): Consider custom settings per host and/or global cluster config to turn this
+  // off.
+  return !cluster_config_.has_transport_socket() && cluster_config_.has_tls_context();
+}
+
 void Cluster::swapAndUpdateMap(const HostInfoMapSharedPtr& new_hosts_map,
                                const Upstream::HostVector& hosts_added,
                                const Upstream::HostVector& hosts_removed) {
diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.h b/source/extensions/clusters/dynamic_forward_proxy/cluster.h
index 7635e91cb49b3..76c78fe6ad4af 100644
--- a/source/extensions/clusters/dynamic_forward_proxy/cluster.h
+++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.h
@@ -6,6 +6,8 @@
 #include "common/upstream/cluster_factory_impl.h"
 #include "common/upstream/logical_host.h"
 
+#include "server/transport_socket_config_impl.h"
+
 #include "extensions/clusters/well_known_names.h"
 #include "extensions/common/dynamic_forward_proxy/dns_cache.h"
 
@@ -95,7 +97,9 @@ class Cluster : public Upstream::BaseDynamicClusterImpl,
   void swapAndUpdateMap(const HostInfoMapSharedPtr& new_hosts_map,
                         const Upstream::HostVector& hosts_added,
                         const Upstream::HostVector& hosts_removed);
+  bool createCustomTlsForHost();
 
+  const envoy::api::v2::Cluster cluster_config_;
   const Extensions::Common::DynamicForwardProxy::DnsCacheManagerSharedPtr dns_cache_manager_;
   const Extensions::Common::DynamicForwardProxy::DnsCacheSharedPtr dns_cache_;
   const Extensions::Common::DynamicForwardProxy::DnsCache::AddUpdateCallbacksHandlePtr
@@ -103,6 +107,7 @@ class Cluster : public Upstream::BaseDynamicClusterImpl,
   const envoy::api::v2::endpoint::LocalityLbEndpoints dummy_locality_lb_endpoint_;
   const envoy::api::v2::endpoint::LbEndpoint dummy_lb_endpoint_;
   const LocalInfo::LocalInfo& local_info_;
+  Server::Configuration::TransportSocketFactoryContextImpl transport_factory_context_;
 
   absl::Mutex host_map_lock_;
   HostInfoMapSharedPtr host_map_ ABSL_GUARDED_BY(host_map_lock_);
diff --git a/source/extensions/common/dynamic_forward_proxy/dns_cache.h b/source/extensions/common/dynamic_forward_proxy/dns_cache.h
index 96ee2d5a7473c..3a0fb4580ef30 100644
--- a/source/extensions/common/dynamic_forward_proxy/dns_cache.h
+++ b/source/extensions/common/dynamic_forward_proxy/dns_cache.h
@@ -23,6 +23,12 @@ class DnsHostInfo {
    */
   virtual Network::Address::InstanceConstSharedPtr address() PURE;
 
+  /**
+   * Returns the host that was actually resolved via DNS. If port was originally specified it will
+   * be stripped from this return value.
+   */
+  virtual const std::string& resolvedHost() PURE;
+
   /**
    * Indicates that the host has been used and should not be purged depending on any configured
    * TTL policy
diff --git a/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.cc b/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.cc
index b8173e2dfd00c..0e9a978ff40f6 100644
--- a/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.cc
+++ b/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.cc
@@ -132,12 +132,12 @@ void DnsCacheImpl::onReResolve(const std::string& host) {
 
 void DnsCacheImpl::startResolve(const std::string& host, PrimaryHostInfo& host_info) {
   ENVOY_LOG(debug, "starting main thread resolve for host='{}' dns='{}' port='{}'", host,
-            host_info.host_to_resolve_, host_info.port_);
+            host_info.host_info_->resolved_host_, host_info.port_);
   ASSERT(host_info.active_query_ == nullptr);
 
   stats_.dns_query_attempt_.inc();
   host_info.active_query_ =
-      resolver_->resolve(host_info.host_to_resolve_, dns_lookup_family_,
+      resolver_->resolve(host_info.host_info_->resolved_host_, dns_lookup_family_,
                          [this, host](std::list<Network::DnsResponse>&& response) {
                            finishResolve(host, std::move(response));
                          });
@@ -151,11 +151,8 @@ void DnsCacheImpl::finishResolve(const std::string& host,
 
   auto& primary_host_info = *primary_host_it->second;
   primary_host_info.active_query_ = nullptr;
-  const bool first_resolve = primary_host_info.host_info_ == nullptr;
-  if (primary_host_info.host_info_ == nullptr) {
-    primary_host_info.host_info_ =
-        std::make_shared<DnsHostInfoImpl>(main_thread_dispatcher_.timeSource());
-  }
+  const bool first_resolve = !primary_host_info.host_info_->first_resolve_complete_;
+  primary_host_info.host_info_->first_resolve_complete_ = true;
 
   const auto new_address = !response.empty()
                                ? Network::Utility::getAddressWithPort(*(response.front().address_),
@@ -211,9 +208,8 @@ void DnsCacheImpl::runRemoveCallbacks(const std::string& host) {
 void DnsCacheImpl::updateTlsHostsMap() {
   TlsHostMapSharedPtr new_host_map = std::make_shared<TlsHostMap>();
   for (const auto& primary_host : primary_hosts_) {
-    // Do not include hosts without host info. This only happens before we get the first
-    // resolution.
-    if (primary_host.second->host_info_ != nullptr) {
+    // Do not include hosts that have not resolved at least once.
+    if (primary_host.second->host_info_->first_resolve_complete_) {
       new_host_map->emplace(primary_host.first, primary_host.second->host_info_);
     }
   }
@@ -249,8 +245,10 @@ void DnsCacheImpl::ThreadLocalHostInfo::updateHostMap(const TlsHostMapSharedPtr&
 DnsCacheImpl::PrimaryHostInfo::PrimaryHostInfo(DnsCacheImpl& parent,
                                                absl::string_view host_to_resolve, uint16_t port,
                                                const Event::TimerCb& timer_cb)
-    : parent_(parent), host_to_resolve_(host_to_resolve), port_(port),
-      refresh_timer_(parent.main_thread_dispatcher_.createTimer(timer_cb)) {
+    : parent_(parent), port_(port),
+      refresh_timer_(parent.main_thread_dispatcher_.createTimer(timer_cb)),
+      host_info_(std::make_shared<DnsHostInfoImpl>(parent.main_thread_dispatcher_.timeSource(),
+                                                   host_to_resolve)) {
   parent_.stats_.host_added_.inc();
   parent_.stats_.num_hosts_.inc();
 }
diff --git a/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.h b/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.h
index 7ecccdf3a8d27..440617b61c70c 100644
--- a/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.h
+++ b/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.h
@@ -71,13 +71,19 @@ class DnsCacheImpl : public DnsCache, Logger::Loggable<Logger::Id::forward_proxy
   };
 
   struct DnsHostInfoImpl : public DnsHostInfo {
-    DnsHostInfoImpl(TimeSource& time_source) : time_source_(time_source) { touch(); }
+    DnsHostInfoImpl(TimeSource& time_source, absl::string_view resolved_host)
+        : time_source_(time_source), resolved_host_(resolved_host) {
+      touch();
+    }
 
     // DnsHostInfo
     Network::Address::InstanceConstSharedPtr address() override { return address_; }
+    const std::string& resolvedHost() override { return resolved_host_; }
     void touch() override { last_used_time_ = time_source_.monotonicTime().time_since_epoch(); }
 
     TimeSource& time_source_;
+    const std::string resolved_host_;
+    bool first_resolve_complete_{};
     Network::Address::InstanceConstSharedPtr address_;
     // Using std::chrono::steady_clock::duration is required for compilation within an atomic vs.
     // using MonotonicTime.
@@ -93,10 +99,9 @@ class DnsCacheImpl : public DnsCache, Logger::Loggable<Logger::Id::forward_proxy
     ~PrimaryHostInfo();
 
     DnsCacheImpl& parent_;
-    const std::string host_to_resolve_;
     const uint16_t port_;
     const Event::TimerPtr refresh_timer_;
-    DnsHostInfoImplSharedPtr host_info_;
+    const DnsHostInfoImplSharedPtr host_info_;
     Network::ActiveDnsQuery* active_query_{};
   };
 
diff --git a/source/extensions/transport_sockets/tls/context_config_impl.cc b/source/extensions/transport_sockets/tls/context_config_impl.cc
index bb19a2c791e30..3b8f32d27a0e0 100644
--- a/source/extensions/transport_sockets/tls/context_config_impl.cc
+++ b/source/extensions/transport_sockets/tls/context_config_impl.cc
@@ -369,17 +369,6 @@ ServerContextConfigImpl::ServerContextConfigImpl(
   }
 }
 
-ServerContextConfigImpl::ServerContextConfigImpl(
-    const Json::Object& config,
-    Server::Configuration::TransportSocketFactoryContext& factory_context)
-    : ServerContextConfigImpl(
-          [&config] {
-            envoy::api::v2::auth::DownstreamTlsContext downstream_tls_context;
-            Config::TlsContextJson::translateDownstreamTlsContext(config, downstream_tls_context);
-            return downstream_tls_context;
-          }(),
-          factory_context) {}
-
 // Append a SessionTicketKey to keys, initializing it with key_data.
 // Throws if key_data is invalid.
 void ServerContextConfigImpl::validateAndAppendKey(
diff --git a/source/extensions/transport_sockets/tls/context_config_impl.h b/source/extensions/transport_sockets/tls/context_config_impl.h
index 5efbc0680b676..e1b0024ce906b 100644
--- a/source/extensions/transport_sockets/tls/context_config_impl.h
+++ b/source/extensions/transport_sockets/tls/context_config_impl.h
@@ -130,9 +130,6 @@ class ServerContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::Ser
   ServerContextConfigImpl(
       const envoy::api::v2::auth::DownstreamTlsContext& config,
       Server::Configuration::TransportSocketFactoryContext& secret_provider_context);
-  ServerContextConfigImpl(
-      const Json::Object& config,
-      Server::Configuration::TransportSocketFactoryContext& secret_provider_context);
 
   // Ssl::ServerContextConfig
   bool requireClientCertificate() const override { return require_client_certificate_; }
diff --git a/test/config/integration/certs/cacert.pem b/test/config/integration/certs/cacert.pem
index 021f465ac3ef2..1dbd3651ac289 100644
--- a/test/config/integration/certs/cacert.pem
+++ b/test/config/integration/certs/cacert.pem
@@ -1,23 +1,23 @@
 -----BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIJAJxgLCQiz7YlMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
-c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
-DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIxNjIwMTgwMFow
-djELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh
-biBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5l
-ZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCpZHOUq+nidd+Gz44RC80QG9De9jcFUStEMGucXlnvvp2cH3GV4GmO
-IZPdCwasxuruO3VM/Yt8tUAO2OrTQayuL9GXTt8MTpkCrviebMBzjYjbgyLgDpZy
-cMoEJjBx0JsfQV+9IUDROLlIehTYzjcIWuLEOqMjZXQQCOI+jA3CEWZx1TFhRWhi
-9aBnQQzWCSZPV5ErKSSRg2T2Xnuhusue7ETtgSt36hDrOxLhJaeS1/YlovyhX94j
-JPhASK3LutJUDO2tk8L713Y3WHkFzDMfkGrklRbBB/ZKXRRGiJDWElpbUCUVFbuw
-7laBtTn0t74DQxBXqal9sIr9vV7LLQszAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMB
-Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQUM9b2kmz7njy/vuxkzKiwDLZN
-5DAfBgNVHSMEGDAWgBQUM9b2kmz7njy/vuxkzKiwDLZN5DANBgkqhkiG9w0BAQsF
-AAOCAQEAkWqORue+2exZldWbYaDUX3ANP0ATBNIbZM70uTNO8Iy+r5Fvxtae/PsV
-Iac9LzVY5dY5eqIND9wo7osFfxEhJdJn+/tpTU2h9IhsuWMm0Ogj87NS3sy0xwDc
-xBhnVXI8nCDYU3qU3p+AeC0VfEbNb+dRKHH/FL77jvIL64GP/WGxxS9u7LRTUUoR
-g97ZWeayKEsHAicRao4/k3jgpNIUN0BOlkjLvCe1ExU0id5R3UtdITmbuSSe6GJx
-j8xsEV8PxmOIaJ/M+fqE+Zi2Ljp3a+9X/nLakR6ohMNTbrGMQWrGIpFqCj6pIwek
-6Uemmmca+JeVohl8P3enMlW1d6/24w==
+MIID3TCCAsWgAwIBAgIUEOwYq1WXL3yP6kaKmntCCMg0PogwDQYJKoZIhvcNAQEL
+BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
+aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTkwNzAzMjEzODAxWhcNMjEw
+NzAyMjEzODAxWjB2MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW
+MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ
+THlmdCBFbmdpbmVlcmluZzEQMA4GA1UEAwwHVGVzdCBDQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMDu0rL5EOjHz0Hp/3mjeNQSQXBgeHBSHX9klLnf
+2YZLDlF9zLs9EDQ6lu73L3ddHNG5LVFjzkSIxuga+dk8RloZjgLkTxxe1u0GFRJ8
+nuo94FPi8SFsPCnnNw1MbAS5fi9xS/HyO1sWrfG4kvbNwag9vHmLXAiY8mP5hx86
+nNEaNw+FhEuMQ5M2fZuxC3OZWg+gKJWjTMMFGpL6I24DloZWNz7FPCEkoIWAaXDl
+7nQRF/CnCgR2qzZ4taovaI0sz4Io4FbXxrgFp2MGMYho6YxEeqhEcWRkG2QPh/Lf
+WPmbzf2+3p7qQyZ5DpioIxaSvPlcN844Wlhb+poZ8QuzUWUCAwEAAaNjMGEwDwYD
+VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFK5gKQmCW6iN
+Tt/5cJKN2niWLEDiMB8GA1UdIwQYMBaAFK5gKQmCW6iNTt/5cJKN2niWLEDiMA0G
+CSqGSIb3DQEBCwUAA4IBAQA0oYiG8SnI4QylJrke3ydw0sXWS6LyH1WllS+6nAK9
+5qiTL3Q6wqeWroJsRQ8RcmndaGwCn7VvibnH8gwWGmbrTPiJiWaW4WBYKtL3GJSZ
+bnHTFVfCe2TtzouYTzrfSfkh6kLOP/omAyLukIdv1qWJQzD0V8bxjplCqpbh28IM
+lIhgdn+GxjU6bYGA8edEgKgi9FSbv02thnkKlnxlehQSeA7vKXVHjQKo2no35OI7
+wClhbsye75rf6cHdNrK2d/Wkl/khYrpgXwHkC/2u/YFJ3jdhW7LHCDSRTde2YUk5
+oyM3i7peJc9jvVQIBZXM4/o0SiS8HNzPQPAB8rRA5Nyz
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/cakey.pem b/test/config/integration/certs/cakey.pem
index 030b80b3d860b..d690a784f6a7f 100644
--- a/test/config/integration/certs/cakey.pem
+++ b/test/config/integration/certs/cakey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAqWRzlKvp4nXfhs+OEQvNEBvQ3vY3BVErRDBrnF5Z776dnB9x
-leBpjiGT3QsGrMbq7jt1TP2LfLVADtjq00Gsri/Rl07fDE6ZAq74nmzAc42I24Mi
-4A6WcnDKBCYwcdCbH0FfvSFA0Ti5SHoU2M43CFrixDqjI2V0EAjiPowNwhFmcdUx
-YUVoYvWgZ0EM1gkmT1eRKykkkYNk9l57obrLnuxE7YErd+oQ6zsS4SWnktf2JaL8
-oV/eIyT4QEity7rSVAztrZPC+9d2N1h5BcwzH5Bq5JUWwQf2Sl0URoiQ1hJaW1Al
-FRW7sO5WgbU59Le+A0MQV6mpfbCK/b1eyy0LMwIDAQABAoIBAHFGvYwkUqmgTbRn
-RAfeLmmhUFJpsG2b1CUrhCrzZY1PmTJ4TIr/oVbs2WauIu6TrzNVC6JKw2bIBmhn
-YtGXT5TEYZKfqcUfIm+K9rNq4l/jvCufTEktOCqbhlyz9R2HdNS38QAXJrNDDZSM
-HzjE3kR2EsNKuyHGjJDUgAd3vROTXLuNxhfO+he84NTz6hPlzNOGRJDOnacIp1T1
-qbQdlHhqxJBVyWyjAYR38maBrleLZqV27Fd0sBzuUkU7i6vHRFHp4pD4PAzkzAsS
-DMqCmVF2cM83BT9qz8TcP4wd4+hj9OG2QbIe1zfhUfYS8v/bNqwtIV4WlbyW3P65
-ynXSaAECgYEA0XptQYYrPeSLkEQNLPfDu4BnTE4X65exl8c5+qMWg3aECbdaxWqi
-VmjNlDyzz0w3zzSRShNR7/6fSWULrWwdSCRbpqiU1+xSUrPXCT+tqI9CVqVl452E
-rGHiPZgy7ljb1x/mfrhA8fASrp57Xze4DLqYEUI5fiYBcJRhVqGZvTMCgYEAzwMA
-+wbe2qyi9CuiEfDY3sv5+gfLkYUh3yR7dwrdqccAnOgG0nOv4LDwaoW4Fk2aAYdw
-GvutdUntXtVc77Ha613cXCL38w58r890EpQuDoSTvZlo6K7lrB0ZFpUdefvpP5eL
-4hrkRXes4TeshjLT8C+0Fo7+2XbZfWx2ZHrzegECgYEAh3rYwrIVsXfo06tPoi+0
-RcZsCKvRSKvZTkKpuvJTkz7JcsdFS70FtUEfBKql2IKA7eAfv3rzWXaiaoORo93y
-qj/pjsYlTekn7RknEHJAzG2rCAL8/NNZhWvhONkAx6pstJuLJZXhWxhb3NffDtwo
-iwL7at4b9Px7neY5diAaIIUCgYA/OXujL4YA45khWfI16IlUAphmdNsHptGhhVLw
-GLF6mPzm7zamMA8XYPMMlaqTpT/UF7l1hEiF+f41aJTp4Dgsio4y1btE0LfkOkgJ
-JJisdnFpBuGzrzcWSgzPiNtn1jh246IlfHEbhmGWp5pZokx4nxkxiprrcBEc7XN7
-XNHgAQKBgQCgiC8H2bpqmLii5xp0ZyyzUYn6sOar0nmKNcwpoPPIaOXNyIk7Ildn
-3bocdUVFL/oYJFav2cmfeLOaetSEqYzMZO2OzF+OHT3wLBIhUFKgHIuStHUScCAR
-FHsqaZxQEdI187t9xlVPGRYTMnKYdvM8pZXe3VFMrNOwRM01xoqSvw==
+MIIEowIBAAKCAQEAwO7SsvkQ6MfPQen/eaN41BJBcGB4cFIdf2SUud/ZhksOUX3M
+uz0QNDqW7vcvd10c0bktUWPORIjG6Br52TxGWhmOAuRPHF7W7QYVEnye6j3gU+Lx
+IWw8Kec3DUxsBLl+L3FL8fI7Wxat8biS9s3BqD28eYtcCJjyY/mHHzqc0Ro3D4WE
+S4xDkzZ9m7ELc5laD6AolaNMwwUakvojbgOWhlY3PsU8ISSghYBpcOXudBEX8KcK
+BHarNni1qi9ojSzPgijgVtfGuAWnYwYxiGjpjER6qERxZGQbZA+H8t9Y+ZvN/b7e
+nupDJnkOmKgjFpK8+Vw3zjhaWFv6mhnxC7NRZQIDAQABAoIBAAC2YQzMIqXZZwiF
+Rq46Tk3qK1ew44D2rKk1w97T1sfKKyld342pcg/fT4NeYkx8iYi0uFgemDpkjud4
+ggetU00t3vpfwXMHXp/Nb/J7h1KyG8vzgJRxA9/bvLZN2/BAhxjBwFgKXvG9KbNE
+zTYgGGD4qWOBgjt95Rc9aqRQ4RdckcdOWizhbsPN3u8TvYhIzD/8jfR6S8f8tMyL
+wBudrvPqdhQZdem5J0ExJXoI8B8P34/cvN9K7iCWksHl8Jgr0bOsoFFgN0bd6RYx
+K85GUmmLPk5R0cOKeJbsfjiL6P3EnkeZHltcZxT+4kHOiGVxStqSl9oamG2AZRyo
++T4chxkCgYEA3p85iXDhHdPWYMnO46t3J2M8mWp3nwEqpEp/hJxmRI3THnyFmWip
+WhTQuEX5PHC02PvKy40//hTnghieyHhDebwt8qSL7cnVSk7RxLoBDSvkfMl2NxM3
+VvILhVIH8G5t9K2nXpJjiB7NYTQq+7uDNN/h8+KGRQS5kJCmobmEwXcCgYEA3dwP
+LFOto2Gcr+qO/46pCaUw2CBTmmqYCyxkxZJdP1p0SvFIFdT5Ls1aW0o4sgNds5mR
+atz57zo26yLPk0Uil+VeX/Ez4l0QrV37TagwIDiKdu17oIwqg3+uK9e2C8sQLbZI
+NX34gorhXEPq9JrccPg2HRnEj+9Te/ZRj8KOmwMCgYA4sbADcn3CDNrBl2Na06Xq
+n/kk0NpZ4gAsCtTivrnEp6GmV+vmH6NRT4+//gH1BHbp82W35ObxG/3BQefeAdKd
+Q/EnpAQGsKni3KPLR9tQsWbk6KF0cS5ctBN/Bl8DOfxCnZ7MFNfIKKABKznvFdfa
+NVHjvEKZfRSM3mmxMf+/DQKBgQCrbREwUAv4FUFr0FLj9oh4knKWXQwcYcbPw2Ku
+IrT4cd0v1xW7AM/1sOjjZws9yUoKr1tkdhCNH681qrU3dxEOy0VL3uUXQI/VVawL
+Siy9iNK8qC2BVSy4ZNzgtZHNtP7wQ0uyQX7W55bQow4WKN6yT6gIflOaX/Ni8mX9
+LfjgnwKBgFOTTxnxXgn1eH/KbIvQ8aavUfFzWqa35QA7sCMXJll28CIKk0XsKIET
+oq1+2PTYf+GyckU7vROdngftqS3v3L+bYXmC+4Ka1zKIljPYStavB/I+4jqVMJuA
+XpJ3mliUUtRvte0EpRvbNfxaspqapv74aV1OXD+nxuEOiN5JeSJN
 -----END RSA PRIVATE KEY-----
diff --git a/test/config/integration/certs/client_ecdsacert.pem b/test/config/integration/certs/client_ecdsacert.pem
index d32aea145091d..7844aad3bddeb 100644
--- a/test/config/integration/certs/client_ecdsacert.pem
+++ b/test/config/integration/certs/client_ecdsacert.pem
@@ -1,22 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDmTCCAoGgAwIBAgIJAILStmLgUUcYMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
-c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
-DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIxNjIwMTgwMFow
-gagxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
-YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu
-ZWVyaW5nMRswGQYDVQQDDBJUZXN0IEZyb250ZW5kIFRlYW0xJTAjBgkqhkiG9w0B
-CQEWFmZyb250ZW5kLXRlYW1AbHlmdC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
-BwNCAAT9UPlVN7p2GE0w7a7G7v+AqYYKwpsI1exZyLK4MiEBdiFxnQnjPP0Cfjpq
-8PvQCZdthQ7+WL+HhRirpCHPaVHno4HBMIG+MAwGA1UdEwEB/wQCMAAwCwYDVR0P
-BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATBCBgNVHREEOzA5
-hh9zcGlmZmU6Ly9seWZ0LmNvbS9mcm9udGVuZC10ZWFtgghseWZ0LmNvbYIMd3d3
-Lmx5ZnQuY29tMB0GA1UdDgQWBBQLeMuyYBahRJ6gH43BRFYhMfBYxTAfBgNVHSME
-GDAWgBQUM9b2kmz7njy/vuxkzKiwDLZN5DANBgkqhkiG9w0BAQsFAAOCAQEAEh3S
-cW+nQzgbRCbfDkj+qcEslAOWJc6pNf6npKHtfn78YehVUKOiKkMdqTcW4zuhGjYA
-ifVkoyTgTHyqdxkNdgELIi7/7JDY0N73AgndCpA/F/OqqMHATVtUMzTZzk7EB+yx
-L6KyGuXVH6WtNnJ9Zo+f87FgjCtVZvnWqZKEynqtBRv930UaMkPPXQ/YLsrjkMC0
-VX2cyUG6tblYNxCeT73SRTs07KeT9wXOoZaUNxBJo0zPUYk3D1gEaCVCPMpqIOUF
-kHkEPCdBDeGE1/UT/rPeFcWI+fCpKDU7c41ojMQ4/HxxorecyzBHxCpuqKZFGzD5
-+SAdcodf60sCDUt8lA==
+MIIDpDCCAoygAwIBAgIUASeqOwqThDfvtGc0Yn5U44KFEJ4wDQYJKoZIhvcNAQEL
+BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
+aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTkwNzAzMjEzODAxWhcNMjEw
+NzAyMjEzODAxWjCBqDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
+FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsM
+EEx5ZnQgRW5naW5lZXJpbmcxGzAZBgNVBAMMElRlc3QgRnJvbnRlbmQgVGVhbTEl
+MCMGCSqGSIb3DQEJARYWZnJvbnRlbmQtdGVhbUBseWZ0LmNvbTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABEgPDlcKmkbZ377+0JE/t8IfN10w+QCXTyPuP3arOmtL
+WWXF29Ajtwpl77AdmwA5ZDuF+Scv/JGo9vlt8Uk0H5ujgcEwgb4wDAYDVR0TAQH/
+BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
+MEIGA1UdEQQ7MDmGH3NwaWZmZTovL2x5ZnQuY29tL2Zyb250ZW5kLXRlYW2CCGx5
+ZnQuY29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFKbm9TVgGqDdo+6fW6U1SknM
+XkbSMB8GA1UdIwQYMBaAFK5gKQmCW6iNTt/5cJKN2niWLEDiMA0GCSqGSIb3DQEB
+CwUAA4IBAQCIdYsOdCi6B35gWH1ON+LepTdvmW2YcY0vA2srQX7ZOITwgEDHkUxI
+YqnsQA0zd84BaoAl+sCyauEVjm+NOw3cVdqHUtdWHr/DqWznB3JLb6YDwOKWQ2jn
+8N4+NmcZkY8yLivmIOKLn8Z09F2q2c/pAFSMZKiaxatf/S+Qwyd3r/u6Ejhba1Fb
+JBmq799lkYOKVu98W46cfg2ZrOBzDiwNE1JiGzFGta3nNnIXVZ9fHzPsOjU6Xjo4
+mmkmUbf/K2zqm56a4u7ICjqsTOK8ofGp8HJt38IRtzFeX9ul8k4zIOOOA+8VE6oP
+4v2dSeX0ZA71g7ZFvKpBNZmoZ3bEb962
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/client_ecdsacert_hash.h b/test/config/integration/certs/client_ecdsacert_hash.h
index 787f4511b3b49..1c33521451d9b 100644
--- a/test/config/integration/certs/client_ecdsacert_hash.h
+++ b/test/config/integration/certs/client_ecdsacert_hash.h
@@ -1,3 +1,3 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_CLIENT_ECDSA_CERT_HASH[] = "DC:B2:C0:82:AD:8C:C3:4E:06:2E:65:15:F9:F7:39:D0:4C:"
-                                               "8A:60:AF:1E:B6:01:18:C5:90:AE:AE:47:7D:B8:FC";
+constexpr char TEST_CLIENT_ECDSA_CERT_HASH[] = "49:44:C0:E1:AE:62:C5:4F:92:C1:ED:DD:9A:82:52:A8:A8:"
+                                               "87:CE:AA:24:6A:0A:CB:D6:FC:14:1A:26:53:15:8C";
diff --git a/test/config/integration/certs/client_ecdsakey.pem b/test/config/integration/certs/client_ecdsakey.pem
index e352e35a540fc..3b5d6bf6fd9a9 100644
--- a/test/config/integration/certs/client_ecdsakey.pem
+++ b/test/config/integration/certs/client_ecdsakey.pem
@@ -2,7 +2,7 @@
 BggqhkjOPQMBBw==
 -----END EC PARAMETERS-----
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIOoeoqRYQ6raBXh0ejEFGvOvP8XNgbKnj7tDYDLFH7t1oAoGCCqGSM49
-AwEHoUQDQgAE/VD5VTe6dhhNMO2uxu7/gKmGCsKbCNXsWciyuDIhAXYhcZ0J4zz9
-An46avD70AmXbYUO/li/h4UYq6Qhz2lR5w==
+MHcCAQEEIKavzob3Zji5GSUxn6HJG4zapWF05iN5AHx4CEzzDi8koAoGCCqGSM49
+AwEHoUQDQgAESA8OVwqaRtnfvv7QkT+3wh83XTD5AJdPI+4/dqs6a0tZZcXb0CO3
+CmXvsB2bADlkO4X5Jy/8kaj2+W3xSTQfmw==
 -----END EC PRIVATE KEY-----
diff --git a/test/config/integration/certs/clientcert.pem b/test/config/integration/certs/clientcert.pem
index edca455abfba6..1e6ef0c351d37 100644
--- a/test/config/integration/certs/clientcert.pem
+++ b/test/config/integration/certs/clientcert.pem
@@ -1,26 +1,26 @@
 -----BEGIN CERTIFICATE-----
-MIIEZDCCA0ygAwIBAgIJAILStmLgUUcXMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
-c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
-DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIxNjIwMTgwMFow
-gagxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
-YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu
-ZWVyaW5nMRswGQYDVQQDDBJUZXN0IEZyb250ZW5kIFRlYW0xJTAjBgkqhkiG9w0B
-CQEWFmZyb250ZW5kLXRlYW1AbHlmdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQCouLlGbMfpOV5Sh/zbUNo6GHzhpB1Q/UqxzkdmgdF4tzm3w83Q
-qka2/Q4R4/Xi3gmbUlszfw2Ax8ouIbPlx5m/1/ytvUVOcyvksu+ae92WP62nukL3
-RLLt4ctvSiA0i9FeFrNmuM+R/cSdMf9tl20heL2/bgCmIlNr6i+KMsZQlWm3GRna
-rfh8RWwyzqVDLLTvOO+h9jxHfKanN1BwIm0RYHRgxfyehel4av6t9xsylE4dtGvk
-4DO7aO98IfNtn6rHyuIY2g8Wp4Mwbs9Z+uXSCc8/NTCOm9GSvG2hJSMIdqdnETLf
-5eTiRUB3FF4el3nXNhOTFr0iAydL7bIYqkprAgMBAAGjgcEwgb4wDAYDVR0TAQH/
-BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
-MEIGA1UdEQQ7MDmGH3NwaWZmZTovL2x5ZnQuY29tL2Zyb250ZW5kLXRlYW2CCGx5
-ZnQuY29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFJD5l1K7mp/dUUNXvXPBWJ5l
-oJOnMB8GA1UdIwQYMBaAFBQz1vaSbPuePL++7GTMqLAMtk3kMA0GCSqGSIb3DQEB
-CwUAA4IBAQCJOUQB5d8ZCEeMrY0jLwefY8L0UluhPFWNlw1t2LyDjAa8qRNkWJ/2
-bky7IHBMxPQIdYBVPsQGOQ4bkg3S7Eqyc0WZYpLlKEQeUFPG752642GInzjgY3KG
-f1hIHz1quIYARjF5GJ+buZpw3DgcGDnhYygFQDWqgyRnfz84M1ycEx06yHidupyp
-eMHZHXcrSXPcGin7a6tBEppDFm5CcrJQ2hySDVkl9qnbgHr0+0JZg/Qekik4aWv5
-ACWk3wTxIPUv6mc8kbBMRMPkETzWt4m/qdLnUUhFKJdyACPlb6onJe1TGuYJvc2x
-rNV3U8Yo8a1iskQtHqNfc+kqVd3MpgsB
+MIIEbzCCA1egAwIBAgIUASeqOwqThDfvtGc0Yn5U44KFEJ0wDQYJKoZIhvcNAQEL
+BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
+aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTkwNzAzMjEzODAxWhcNMjEw
+NzAyMjEzODAxWjCBqDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
+FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsM
+EEx5ZnQgRW5naW5lZXJpbmcxGzAZBgNVBAMMElRlc3QgRnJvbnRlbmQgVGVhbTEl
+MCMGCSqGSIb3DQEJARYWZnJvbnRlbmQtdGVhbUBseWZ0LmNvbTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALHQs8GmhQ00aR6J2p7kkEdbJe6fSh1uHfCO
+NyawHULFslYpnY03CZdoOM1JxhPXNPWl8mjkt5mTJUMkRhn8D7prI8OUEgZsqTeW
+4CwbwWRhR5WoqsEOqfhK8FhzhSPEp+Jl7PT7gzpFFLl82Tl3cF3YRveGCidk+teM
+xqx5G+WgDL84q6Dk6ZqhBcJDugAmQluUhO+Nai9lWoue1G/gUXhqca23mf8BFgLq
+pzzYzGaHmrgFsXNvJoAs9z9OzWxLxHid55Xiv4kcaByY1sI/Bian1+6YL4BNAiem
+y0Zywm/HfSngTXtgsPL5A+BlMabxquX8M+m5hixQ7F3vLhh0xN0CAwEAAaOBwTCB
+vjAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
+AgYIKwYBBQUHAwEwQgYDVR0RBDswOYYfc3BpZmZlOi8vbHlmdC5jb20vZnJvbnRl
+bmQtdGVhbYIIbHlmdC5jb22CDHd3dy5seWZ0LmNvbTAdBgNVHQ4EFgQUpmwflD7d
+KSfC2PigtxcZwNW1hw0wHwYDVR0jBBgwFoAUrmApCYJbqI1O3/lwko3aeJYsQOIw
+DQYJKoZIhvcNAQELBQADggEBAFtcj3ffmXgXgaQhdqfgp1OyfdJSX1P/1sLWCC0H
+9ikqh+CGvSKZp2feoA7CdopAf1g1wNwqKYAZxF9iAKoFXtgHjaz6AJ6HSL3o+9Bo
+mFuNPLakgPCP0bQatN2BZSJlQ3CkJp6IQahWG9UCmftvS9gHpze/FzJ8r1QpN7Dk
+XMWNAF+BTj/LNNjg2JntGg6056dci/ARdv/fgEb9EcyCTTwCzX0AwaAZvFoiVDRX
+Br88MdOBva+fW1DkADNo+bUiC3iubaDyBWMB3Op4EGv5PoubA9NNyYTP6fK3N6DW
+xOOUkU4SneB6QGZWDG488k/HskBlD1ymPMch6+yCMe3cAHM=
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/clientcert_hash.h b/test/config/integration/certs/clientcert_hash.h
index cd77a55df7cf7..72fd53405b4d9 100644
--- a/test/config/integration/certs/clientcert_hash.h
+++ b/test/config/integration/certs/clientcert_hash.h
@@ -1,3 +1,3 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_CLIENT_CERT_HASH[] = "90:CA:A3:E0:B0:AD:8E:E6:4F:BC:11:6C:7B:E5:9D:35:11:2B:46:"
-                                         "71:5F:4D:5C:52:85:37:23:08:38:28:B4:D6";
+constexpr char TEST_CLIENT_CERT_HASH[] = "7E:B6:DA:8E:39:AF:37:B2:5B:72:49:5E:91:4D:7C:E2:CD:65:9A:"
+                                         "81:51:5D:42:0C:E7:0D:50:55:BC:A4:C9:32";
diff --git a/test/config/integration/certs/clientkey.pem b/test/config/integration/certs/clientkey.pem
index e1b46d735ec62..2170b63ccc46b 100644
--- a/test/config/integration/certs/clientkey.pem
+++ b/test/config/integration/certs/clientkey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAqLi5RmzH6TleUof821DaOhh84aQdUP1Ksc5HZoHReLc5t8PN
-0KpGtv0OEeP14t4Jm1JbM38NgMfKLiGz5ceZv9f8rb1FTnMr5LLvmnvdlj+tp7pC
-90Sy7eHLb0ogNIvRXhazZrjPkf3EnTH/bZdtIXi9v24ApiJTa+ovijLGUJVptxkZ
-2q34fEVsMs6lQyy07zjvofY8R3ympzdQcCJtEWB0YMX8noXpeGr+rfcbMpROHbRr
-5OAzu2jvfCHzbZ+qx8riGNoPFqeDMG7PWfrl0gnPPzUwjpvRkrxtoSUjCHanZxEy
-3+Xk4kVAdxReHpd51zYTkxa9IgMnS+2yGKpKawIDAQABAoIBAA1Ivg21cugCBFMr
-MdVywDviwbJiYYyG5OKrAyQnBH8krf6yA/px7a9qrTjrYejC4q7ABT5AuqdxE5Ie
-RTPKS2i3cMWdKV/L4aDYFdVr+z5hNSMHn04oso3YQVQ52d9JQurNjsJ/upgcCub1
-kM7oJUeFYis4VgS+nyLYBXY0GTku6aheM/+Z0xTEvIc3Cfzb94aCqnGwHe+TvxN0
-zCKhm4bUO4HE5UQzHXO9oxMlOlI7hDAUTSfhT0FpOtxnmisl+XFRSGSvJmNbK4jJ
-8dlqIuXsSh4X9NPEnhPz1ieg4+hcUelg5SvSNLNAVQPmm1nNluwYhT41iU+seiiJ
-A3uUJEECgYEA2fAS32IQox/8+OpKPipvR13tHek04AsJSGuNiio8qXlQorlXBRYE
-esOEEYJyKiNWZ7NXTCAjyDiRp48aM62Fy1ykDR4IbDb8JRAdZpJBCjy5U5BKfZTY
-jR3rZOA+8Bivozmtdv+0RGxhffSIGPpB1/4Dgmkw375YLAB4cVffg30CgYEAxjA1
-o8ImIW+9eKTRV2yWUHiUZ4iae5s54nCnz24YqJVLooWtU/TXFKrTiYJs20HBWiG0
-+dsJ27LXd0Y13DDQN/ZT/luvWbhMkFYGQ7Ou7XDXB6ujgl6A5MZ7mKfxIv+kX5QM
-F1NTVl3TeUU+6XAYeUf1xmlDjot3sNNv5NdvGgcCgYBRzUnYLP/fqscSSyaY1Oa1
-2+x/mKQvIBVY6H3VCWuBlTaODZE7KHt/9NkilVrytBbfj7JJsZqcsZcCVLVaBly8
-60XsYoR40d6srrLKaEUfaZGKaxN6tZ7ewQc08vLMvgdW9fRFQU9Ri3jAhUN8VJrY
-TtDUZ1Vf9hs0UOzkZj5QJQKBgCfS7iRe0eysGGWSsOIhVr8Ky79WKrylv2bp/j5n
-QBs4DL+2ntKdA08K2IDsLVWNi/3Bgi0mv39fG37DI/V/9YcZP12ALOcZaoEiWBXo
-mEDsCLlo2u1KchoGbDWLoZ/HwM7X3+ob+0YCioj2yiJ8PN66AAADjOiqy71Db1uL
-kq6nAoGAN8dAwrJFQ2mQYKFQrbWt3/x+YHCAvkqIFdVWn9+3/fWZ8Rcwctl/mau/
-7dL5tU/s3wO8KkOH2PTjvtUORZR+e/FGq7hmXVV1lnl7GBENW6THN08xq9e/4Clm
-koYsIpn/e+t2AVR1UENvv9sKwAsDV1yqHwRfUSFtg/qtj7103YY=
+MIIEpAIBAAKCAQEAsdCzwaaFDTRpHonanuSQR1sl7p9KHW4d8I43JrAdQsWyVimd
+jTcJl2g4zUnGE9c09aXyaOS3mZMlQyRGGfwPumsjw5QSBmypN5bgLBvBZGFHlaiq
+wQ6p+ErwWHOFI8Sn4mXs9PuDOkUUuXzZOXdwXdhG94YKJ2T614zGrHkb5aAMvzir
+oOTpmqEFwkO6ACZCW5SE741qL2Vai57Ub+BReGpxrbeZ/wEWAuqnPNjMZoeauAWx
+c28mgCz3P07NbEvEeJ3nleK/iRxoHJjWwj8GJqfX7pgvgE0CJ6bLRnLCb8d9KeBN
+e2Cw8vkD4GUxpvGq5fwz6bmGLFDsXe8uGHTE3QIDAQABAoIBAQCCKGasRZv3Ano/
+5GCnFl+WG940QV0bFdPMlg1AwIFqsxPLhkLRb4wRzDRn8KyRMWKOvZ4nsePDArav
+4wl9U8ifiHVxYB2hnkBvdH07TEXPmHWx0vjKwFUibphn5od6myTY0AsXeFOif5ag
+AAdxzT/vMbUg0nj0RTJoPZ/f9/a3qaq1sgOk7M72i4kF/Uh7Rnz/oPs5ZZZZpgdJ
+DbxNOIabMqOnqM1fUnRbWmi5Ly/FjInOyFDVeqwq9//SWlEFmgHUwEzXJpopFDAH
+uAoQ8AIB/Aev6u6vs6i0fBOSfVGFGOrSicXd7StCGMCsMUUdpQbKcgOjkC0e9G/G
+H6J4wtpxAoGBAOgYgLOXCASeeLC8xjN0QRs0BCKLFAnaFPc+Ldl8O9NgT7sSf+mv
+dLk3+x0VuvLqBWgqTG5hv7weuOIk14IYd19dp/vgtWS4f7Ui73Em2vBRX13loids
+DPXFXxPCRW0tDulkgZcsoVj3c262ok+OU2W41xyI+EYY2jXgSNhp2OGvAoGBAMQh
+Bq9cnjlN5gjPEU+DmNyVGZnmcbxhX1Mw+2EN30IoG2cJzr9Q78r4UswSHOJG4uW2
+YEYBVkRKgX55l75A7CfkaSh7ax9Y5HUuAE6yoB2ByfOJFfjo13kj0XX+DofxqHYq
+0sRa0B16ReS2vWPtUUuE1D5jvokltMAgHZycq+EzAoGATcGHvKLoqMN+o5dav3o/
+JaHzkK8Pc42AYKSQL8CTOmmVzJKSD/QcIsFCe6gADcmhLhidqo1M8vVH81tsZ8VS
+mLyDvrq1ipzVDBY8KaheyQw56vc3sAVfAiexhqkbIUxrJn3pfIATPf8IyRqenhCM
+mBOo3YJ1yuYglNQjE33CjzkCgYAnlW7O98drU2CJCJm6zZmNc34+RHdSCOj/VlR1
+6yHTLVsSebVDgadT9LhpPYKc3KewqxVVK7HoiI0IJKxOlrXS+1OJ+xbMtdkuGUGw
+oHaWXfqPb2yC1yOd7G+6+7KdF1Xju5LcVGPKf0IZ/hPNVjlhH4birKjo7zZCzHiN
+gkViZwKBgQCbnTaTiO81f/7TYlAHWWDjq8x7nd86hTzbaIh/GUZX7BUPgXtQgAEn
+fEOzvBTP+G6YeXGfCdsR0JAeosumSA/n5/VQuvUEUpb573WjSDuQDsTmJFO99IDs
+U1H44AAK5pFdIybitYyxt227BrNK/sXxlYeSEu3c+5vsIoWRThIbTg==
 -----END RSA PRIVATE KEY-----
diff --git a/test/config/integration/certs/server_ecdsacert.pem b/test/config/integration/certs/server_ecdsacert.pem
index d63b3852359ff..02e567c0e70c9 100644
--- a/test/config/integration/certs/server_ecdsacert.pem
+++ b/test/config/integration/certs/server_ecdsacert.pem
@@ -1,22 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDljCCAn6gAwIBAgIJAILStmLgUUcWMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
-c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
-DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIxNjIwMTgwMFow
-gaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
-YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu
-ZWVyaW5nMRowGAYDVQQDDBFUZXN0IEJhY2tlbmQgVGVhbTEkMCIGCSqGSIb3DQEJ
-ARYVYmFja2VuZC10ZWFtQGx5ZnQuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
-QgAEgVE4DzGyifdO4yefn1bEhFfkTrUjfV3Lay9NQz6D1SosrCnk7KZtl6Nbc/U6
-KiGlN+9GpD0ulKEljgjn7TTtT6OBwDCBvTAMBgNVHRMBAf8EAjAAMAsGA1UdDwQE
-AwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwQQYDVR0RBDowOIYe
-c3BpZmZlOi8vbHlmdC5jb20vYmFja2VuZC10ZWFtgghseWZ0LmNvbYIMd3d3Lmx5
-ZnQuY29tMB0GA1UdDgQWBBQDO72plAAjzF3GWFAC+8fyzUpl0zAfBgNVHSMEGDAW
-gBQUM9b2kmz7njy/vuxkzKiwDLZN5DANBgkqhkiG9w0BAQsFAAOCAQEAppJXn2t3
-7qER7Dj4HjNq3GdASgiLsCgjus5Mbfje4rGbb73WJnsMVpOZtWwC4KyIxDHBzFmR
-ntS3g4eJ3FxFkr5ls+RDzSAyIJBzh/Bwt1Yrkn3Yh3HxgsYy6Rd7z4+hHgaqnrza
-ESdmWHoMGg7AJy17drIDmxAK7Os5qObWxytsrUL+lTIBJ3OS2IDiB2tT/WrRMSx9
-umYff6YsGLsOGtVgRsc640wKex7r468p1tkwj5r2PxvH9V9L3hp9QuH+W4gR6IYe
-HhcCTllp+3iH0vmcXCZRP984nnwRBPP3tBuT+/zmUyDp0UPBHqF+jcHxMB/YA9An
-SziyfTA1g4CzRA==
+MIIDoTCCAomgAwIBAgIUASeqOwqThDfvtGc0Yn5U44KFEJwwDQYJKoZIhvcNAQEL
+BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
+aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTkwNzAzMjEzODAxWhcNMjEw
+NzAyMjEzODAxWjCBpjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
+FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsM
+EEx5ZnQgRW5naW5lZXJpbmcxGjAYBgNVBAMMEVRlc3QgQmFja2VuZCBUZWFtMSQw
+IgYJKoZIhvcNAQkBFhViYWNrZW5kLXRlYW1AbHlmdC5jb20wWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAAShqRL345Y8/rGeo3vGS6+6zG/e47gOPlEGcmB7bPS/6xs3
+BJofxd82feI44RO/yRFGXswRWPIRxlUZxpR0pIzJo4HAMIG9MAwGA1UdEwEB/wQC
+MAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATBB
+BgNVHREEOjA4hh5zcGlmZmU6Ly9seWZ0LmNvbS9iYWNrZW5kLXRlYW2CCGx5ZnQu
+Y29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFDxk5CgquRk0F4Au2Ud7FUuA85Ed
+MB8GA1UdIwQYMBaAFK5gKQmCW6iNTt/5cJKN2niWLEDiMA0GCSqGSIb3DQEBCwUA
+A4IBAQACI5c0vZfxKG/uvYmsSJgWkVFn8mWXX2beCO07iRyUxWF8CQWoQzb/jbTp
+rZ7VmBcBzesJmagrp+loveFIg5wNHb02gqPFRE2THQC4L9HIs3N5kUmdFwv31v12
+dMJl9xmuFVtgxZqVx15tYaacaHeYTsP6gcS5aIJ3gC0az5EETrlw3/FeBGzCUCy4
+CzzXKe+dRfl9JsIlk/lOgr24ciQNBQPJhw2GH7s3yFP09cDKZpYJ9kbSr8Nlsdvr
+jsIDu/sofI7w6Dja01CKcQ7OwLA66KA+3uveGtomLJNNEaSLSo03PxGBwPboDJW7
+nAHT4YqyVUikKIto3TdMRCGN8zJI
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/server_ecdsacert_hash.h b/test/config/integration/certs/server_ecdsacert_hash.h
index 309feff186436..c1dd376e15c9e 100644
--- a/test/config/integration/certs/server_ecdsacert_hash.h
+++ b/test/config/integration/certs/server_ecdsacert_hash.h
@@ -1,3 +1,3 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_SERVER_ECDSA_CERT_HASH[] = "95:9A:D0:18:52:40:D9:88:35:B9:52:96:C1:50:86:82:76:"
-                                               "FD:24:AD:48:F9:8F:0C:13:36:BA:2D:36:F2:4C:F3";
+constexpr char TEST_SERVER_ECDSA_CERT_HASH[] = "31:B5:4B:29:D2:D6:2E:B2:8D:7A:48:34:01:E1:47:0A:63:"
+                                               "ED:04:B6:13:41:0F:40:3D:8C:14:21:60:D1:30:8F";
diff --git a/test/config/integration/certs/server_ecdsakey.pem b/test/config/integration/certs/server_ecdsakey.pem
index a46830f1a653b..7de30142e684d 100644
--- a/test/config/integration/certs/server_ecdsakey.pem
+++ b/test/config/integration/certs/server_ecdsakey.pem
@@ -2,7 +2,7 @@
 BggqhkjOPQMBBw==
 -----END EC PARAMETERS-----
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEICqemTBghfUmDlTHDq5GCz5CV51QLvQEkUGOxhtOR6hboAoGCCqGSM49
-AwEHoUQDQgAEgVE4DzGyifdO4yefn1bEhFfkTrUjfV3Lay9NQz6D1SosrCnk7KZt
-l6Nbc/U6KiGlN+9GpD0ulKEljgjn7TTtTw==
+MHcCAQEEIN3NseGURwGV/ceDjfQ7Pd992CSRQBn1XnVMF0DJmC5WoAoGCCqGSM49
+AwEHoUQDQgAEoakS9+OWPP6xnqN7xkuvusxv3uO4Dj5RBnJge2z0v+sbNwSaH8Xf
+Nn3iOOETv8kRRl7MEVjyEcZVGcaUdKSMyQ==
 -----END EC PRIVATE KEY-----
diff --git a/test/config/integration/certs/servercert.pem b/test/config/integration/certs/servercert.pem
index f65b3b34ae7c1..9b7360d7c8cde 100644
--- a/test/config/integration/certs/servercert.pem
+++ b/test/config/integration/certs/servercert.pem
@@ -1,26 +1,26 @@
 -----BEGIN CERTIFICATE-----
-MIIEYTCCA0mgAwIBAgIJAILStmLgUUcVMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
-c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
-DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIxNjIwMTgwMFow
-gaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
-YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu
-ZWVyaW5nMRowGAYDVQQDDBFUZXN0IEJhY2tlbmQgVGVhbTEkMCIGCSqGSIb3DQEJ
-ARYVYmFja2VuZC10ZWFtQGx5ZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAuvPdQdmwZongPAgQho/Vipd3PZWrQ6BKxIb4l/RvqtVP321IUTLs
-4vVwpXoYJ+12L+XOO3jCInszs53tHjFpTI1GE8/sasmgR6LRr2krwSoVRHPqUoc9
-tzkDG1SzKP2TRTi1MTI3FO+TnLFahntO9Zstxhv1Epz5GZ/xQLE0/LLoRYzcynL/
-iflk18iL1KM8i0Hy4cKjclOaUdnh2nh753iJfxCSb5wJfx4FH1qverYHHT6FopYR
-V40Cg0yYXcYo8yNwrg+EBY8QAT2JOMDokXNKbZpmVKiBlh0QYMX6BBiW249v3sYl
-3Ve+fZvCkle3W0xP0xJw8PdX0NRbvGOrBQIDAQABo4HAMIG9MAwGA1UdEwEB/wQC
-MAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATBB
-BgNVHREEOjA4hh5zcGlmZmU6Ly9seWZ0LmNvbS9iYWNrZW5kLXRlYW2CCGx5ZnQu
-Y29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFLHmMm0DV9jCHJSWVRwyPYpBw62r
-MB8GA1UdIwQYMBaAFBQz1vaSbPuePL++7GTMqLAMtk3kMA0GCSqGSIb3DQEBCwUA
-A4IBAQAwx3/M2o00W8GlQ3OT4y/hQGb5K2aytxx8QeSmJaaZTJbvaHhe0x3/fLgq
-uWrW3WEWFtwasilySjOrFOtB9UNmJmNOHSJD3Bslbv5htRaWnoFPCXdwZtVMdoTq
-IHIQqLoos/xj3kVD5sJSYySrveMeKaeUILTkb5ZubSivye1X2yiJLR7AtuwuiMio
-CdIOqhn6xJqYhT7z0IhdKpLNPk4w1tBZSKOXqzrXS4uoJgTC67hWslWWZ2VC6IvZ
-FmKuuGZamCCj6F1QF2IjMVM8evl84hEnN0ajdkA/QWnil9kcWvBm15Ho+oTvvJ7s
-M8MD3RDSq/90FSiME4vbyNEyTmj0
+MIIEbDCCA1SgAwIBAgIUASeqOwqThDfvtGc0Yn5U44KFEJswDQYJKoZIhvcNAQEL
+BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
+aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTkwNzAzMjEzODAxWhcNMjEw
+NzAyMjEzODAxWjCBpjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
+FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsM
+EEx5ZnQgRW5naW5lZXJpbmcxGjAYBgNVBAMMEVRlc3QgQmFja2VuZCBUZWFtMSQw
+IgYJKoZIhvcNAQkBFhViYWNrZW5kLXRlYW1AbHlmdC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCbw7FJYXO/LDJBZu48DRc6cy9hLOTQbW5t9ld/
+4lTpdwtV9j6WhM/MLcv3FasbI5M8S2jx+fGK+IpuCAJHlh02LeG/CAACsEozT2mT
+U1gJuIwCpGWg49IejYFAiLmKadVH9wuorGzttzkn0th84Ooyh2+YkvlByGaH3/lx
+lb2AWwJ4hfDC35zUU7xZQ6AUfu3Zr7SUonANbB6df0m7VWCQcsLW3iIyyZwZsqtl
+Q+NhPv8SQ6Up/z7/kNh25fK/E48EoKbTe9rROV07c3q/lRSqNhC6V1neMsjHXmyh
+6IioKcPS9mDbpWSwirVicIiWLnBdle88x3c/2DvPuE9pO4T/AgMBAAGjgcAwgb0w
+DAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG
+CCsGAQUFBwMBMEEGA1UdEQQ6MDiGHnNwaWZmZTovL2x5ZnQuY29tL2JhY2tlbmQt
+dGVhbYIIbHlmdC5jb22CDHd3dy5seWZ0LmNvbTAdBgNVHQ4EFgQULwvESNbaZ9m0
+enJLpLp+uj7zTXowHwYDVR0jBBgwFoAUrmApCYJbqI1O3/lwko3aeJYsQOIwDQYJ
+KoZIhvcNAQELBQADggEBAFxDgBL3MDfMeCWMLSLqajvtHqUEnqZabm6TAEPWugJc
+UP2d8pe/uiJQeqKxTUHNTv1XRC5RnUyG+znhm5YYG8yywuhS7ktw4k/eAwD8Ijc5
+nXdvXKByUQhjpx2KIPdQRDAIv/IDvBjrUeQu95Gmo2sT6WOG+5ccGDJmbm3k0fXQ
++5okV+PD4NQJkzp1QeNpTABIZSxUWphG/mxTuk1lJurXMkmq8ND4yXuhk2hmL3CQ
+sxaBhnlGTRvg8RcOdDsK5/dJ172FtjELZowtMlvAhBI7S9DBv0GxlFjyQTUf1bD1
+7wgmSus4Q1NZzxvo0YWPacCXmPTGRr0uDNgDVGqZGOA=
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/servercert_hash.h b/test/config/integration/certs/servercert_hash.h
index 6e83ce9705274..6a1d263ac3501 100644
--- a/test/config/integration/certs/servercert_hash.h
+++ b/test/config/integration/certs/servercert_hash.h
@@ -1,3 +1,3 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_SERVER_CERT_HASH[] = "D3:F5:97:8F:8F:7E:CA:63:C3:FF:61:89:95:D7:47:31:E3:BA:9B:"
-                                         "3C:44:10:A1:57:61:B7:9F:4D:65:90:F8:7F";
+constexpr char TEST_SERVER_CERT_HASH[] = "95:92:2C:50:C8:A9:8C:DE:2F:EC:3F:26:EC:E5:E1:B1:6A:5C:9F:"
+                                         "90:6B:7F:C9:97:DD:4C:BF:67:F2:11:F7:BA";
diff --git a/test/config/integration/certs/serverkey.pem b/test/config/integration/certs/serverkey.pem
index 6870eed5bfc6b..377e3b0f5e17c 100644
--- a/test/config/integration/certs/serverkey.pem
+++ b/test/config/integration/certs/serverkey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAuvPdQdmwZongPAgQho/Vipd3PZWrQ6BKxIb4l/RvqtVP321I
-UTLs4vVwpXoYJ+12L+XOO3jCInszs53tHjFpTI1GE8/sasmgR6LRr2krwSoVRHPq
-Uoc9tzkDG1SzKP2TRTi1MTI3FO+TnLFahntO9Zstxhv1Epz5GZ/xQLE0/LLoRYzc
-ynL/iflk18iL1KM8i0Hy4cKjclOaUdnh2nh753iJfxCSb5wJfx4FH1qverYHHT6F
-opYRV40Cg0yYXcYo8yNwrg+EBY8QAT2JOMDokXNKbZpmVKiBlh0QYMX6BBiW249v
-3sYl3Ve+fZvCkle3W0xP0xJw8PdX0NRbvGOrBQIDAQABAoIBAQCkPLR1sy47BokN
-c/BApn9sn5/LZH7ujBTjDce6hqzLIVZn6/OKEfj1cbWiSd6KxRv8/B/vMykpbZ5/
-/w9eZP4imEGmChWhwruh8zHOrdAYhEXmuwZxtgnLurQ2AHTcX9hPCYB0Va76H3ZI
-Q65JUm6NaeQOlGT6ExjrIA2rTYJFM84I1xH3XbDulS9S2FXNP9RIjV70HzvZw2LR
-1qSNfrnGAEbUCdrZT4BAYTGam5L061ofencYLAorr8K0eVWhUjGV9Jjpq8aG8zy5
-Oy1070I0d7Iexfu7T1sQDIqpNkOtQxI8feQEKeKlRKYx6YEQ9vaVwBGa0SBVxQem
-E3YdXBnBAoGBAORlz8wlYqCx25htO/eLgr9hN+eKNhNTo4l905aZrG8SPinaHl15
-n+dQdzlJMVm/rh5+VE0NR0U/vzd3SrdnzczksuGFn0Us/Yg+zOl1+8+GFAtqw3js
-udFLKksChz4Rk/fZo2djtSiFS5aGBtw0Z9T7eorubkTSSfJ7IT99HIu5AoGBANGL
-0ff5U2LV/Y/opKP7xOlxSCVI617N5i0sYMJ9EUaWzvquidzM46T4fwlAeIvAtks7
-ACO1cRPuWredZ/gEZ3RguZMxs6llwxwVCaQk/2vbOfATWmyqpGC9UBS/TpYVXbL5
-WUMsdBs4DdAFz8aCrrFBcDeCg4V4w+gHYkFV+LetAoGAB3Ny1fwaPZfPzCc0H51D
-hK7NPhZ6MSM3YJLkRjN5Np5nvMHK383J86fiW9IRdBYWvhPs+B6Ixq+Ps2WG4HjY
-c+i6FTVgvsb69mjmEm+w6VI8cSroeZdvcG59ULkiZFn6c8l71TGhhVLj5mM08hYb
-lQ0nMEUa/8/Ebc6qhQG13rECgYEAm8AZaP9hA22a8oQxG9HfIsSYo1331JemJp19
-rhHX7WfaoGlq/zsrWUt64R2SfA3ZcUGBcQlD61SXCTNuO+LKIq5iQQ4IRDjnNNBO
-QjtdvoVMIy2/YFXVqDIOe91WRCfNZWIA/vTjt/eKDLzFGv+3aPkCt7/CkkqZErWq
-SnXkUGECgYAvkemYu01V1WcJotvLKkVG68jwjMq7jURpbn8oQVlFR8zEh+2UipLB
-OmrNZjmdrhQe+4rzs9XCLE/EZsn7SsygwMyVhgCYzWc/SswADq7Wdbigpmrs+grW
-fg7yxbPGinTyraMd0x3Ty924LLscoJMWUBl7qGeQ2iUdnELmZgLN2Q==
+MIIEowIBAAKCAQEAm8OxSWFzvywyQWbuPA0XOnMvYSzk0G1ubfZXf+JU6XcLVfY+
+loTPzC3L9xWrGyOTPEto8fnxiviKbggCR5YdNi3hvwgAArBKM09pk1NYCbiMAqRl
+oOPSHo2BQIi5imnVR/cLqKxs7bc5J9LYfODqModvmJL5Qchmh9/5cZW9gFsCeIXw
+wt+c1FO8WUOgFH7t2a+0lKJwDWwenX9Ju1VgkHLC1t4iMsmcGbKrZUPjYT7/EkOl
+Kf8+/5DYduXyvxOPBKCm03va0TldO3N6v5UUqjYQuldZ3jLIx15soeiIqCnD0vZg
+26VksIq1YnCIli5wXZXvPMd3P9g7z7hPaTuE/wIDAQABAoIBAH3ZMGYPXIs61CfP
+V/Agy4GoCsHCmeRkZfJmM+/ZF63BRuFfINZP2+wlnEO3uBUnOxBeBR5sSOF1SbL4
+uY7JFDTwARJtDkUd1fV61dv4XIsOFeEUnh/NsbiJr8JKNU5Fj9KjIUJYfXHatU0d
+p1fOCKpmjp2BMe4aUey54zoIN6F5o9Zp5YL4w5x2qjuud1ise6BGorIVfEyZA4ky
+JjPGVFrgsJZZP/gga2zKkCpGqZRsjaDxXZ1MWHcM2ay7eu0JsYh7uyBXx8ruKRlp
+iL3NpHp/Ae7ClL2MHJmphI+wTQb13MI/yVi6HNq/aPV21mOpFZCqG0yjQ4TSXA10
+Vv7854ECgYEAzAzBtlf3jp2mG/wqahJNxEdZhf3HsvbqIJWSjuKL+G7y+VSy+lhU
+w7eykzvWV/8HXCb/tNubE8NZClt0Z/j2lyeFPnZIRbixPnOb2Kvv98KcSHbaAV6T
+UlAZ41LhvdcoND0pOI/jqNWXVf2rMNxxaMDIiWXiLHdnibtxcIAJfV8CgYEAw2vd
+T60386e7kQQ5BMaPocd4IvaK/g6QEglAP40otW7DWbvUHnUlrueLvxAg5SF1xbjT
+EF34Ex9WqC95H+dw4JuSHMIFXwe8bCOBkGxmQoI6aPFdNOoFnsxoNzpoMI2EszKI
+HAXZUdqj1S7pqXqPeIZDqmb6aNhT6jsbjxK3fGECgYEAg0i54c4bU0EPPPYze+em
+7WBSsykjMXw4CxrxHsmX8RHBdrYOKZBniT1Jwf0/3YIShDH7V6vrzP1k7osFDFhc
+n8gnrJaBzYoVT+8mGHQXgztNPjpp7XOiKdWrsl0DLRefoGyxdtjtSxWRtxvs5xUO
+Sq2u2Ogaay2wCif1xsI6WNUCgYA6x/o02jSnTL/FmhCQmC1iCz7evWwHiVfapP+3
+Xf1tvZhzKGVgl/oyxyEo4nASm+LyC2spVCqnjdiiFE2JxDMWzJTBo7a74/bQTEnP
+qFuGC+gH4voXTYFNR8zdN+tZF2hgAoYgb73zuiFnoYnVWbFIHpLB8eHGobN0FD1w
+5r9cYQKBgHccNQw49BZPyZvWUTH04axMBP7IUrZ7H8zwo0Ie/zCyPtPges65781t
+wE7T0i2OJhU2HM9Mvo/CwowLinJRzTdg1j03/NF603KtCujbcWPWVCUvB1i4I9o5
+oisQsUXJTnwDrbEz6zrCAeqL3hquaaEzSjTyj+ZHpP4STo88AysS
 -----END RSA PRIVATE KEY-----
diff --git a/test/config/integration/certs/upstreamcacert.pem b/test/config/integration/certs/upstreamcacert.pem
index b812dee4e3a21..18eeed4cd9412 100644
--- a/test/config/integration/certs/upstreamcacert.pem
+++ b/test/config/integration/certs/upstreamcacert.pem
@@ -1,23 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIID5DCCAsygAwIBAgIJAK6F1p2EwsE8MA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
-c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRkw
-FwYDVQQDDBBUZXN0IFVwc3RyZWFtIENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIx
-NjIwMTgwMFowfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAU
-BgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5
-ZnQgRW5naW5lZXJpbmcxGTAXBgNVBAMMEFRlc3QgVXBzdHJlYW0gQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDppJMdCm+G30EI7kqkk637fjk0IkIg
-Q9ELZ1yAmJHq4HPXjhUmuKRlKlw0iZjAMAExBaUcZbDw/Wyr2MnpjvqxuQpKczAw
-7oBrXYSRr/23XlvvRjbVKgg6DsftwiUDtyfX83FpKdB+w67rLAhDmtrqUUbkek+o
-SKGEOBznY/0M0Q+XG1mToxOha64VxdSU6uucUeCr7AbECcK91raeCPVk27np2Pwg
-VXL7SSAaLL27E7iIj3BZ6mI28QMjEIZ438fmUr4spmL07nUewfa5gckoubxWINVj
-1jza5FvVZIJLiexZ1TkHiktZvSxEtoAjW0hKOQNrNonJlZHEhLk8lb1BAgMBAAGj
-YzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSp
-uxWfLuvEfPkiCROch7WbHSxYcDAfBgNVHSMEGDAWgBSpuxWfLuvEfPkiCROch7Wb
-HSxYcDANBgkqhkiG9w0BAQsFAAOCAQEAubeccqQYQBoAdBqZpgoHbKehT+LwsrFC
-BCj/c+j0+2Vv/MW5Oxycdu+UXXTC/8KiQBtNbr8O0yJRZsPuVjSoFi4GVvm0jKWP
-qezQCpNrt8qutKPYUqimwqh2/OiJ+FWfB2RQZRxAf7eO5qECJcM2doG/4FCmT3HB
-Qkd8fB22zF+bItLCYrWEVazdhLJiwtpIADbxOz6+gDcMuHiesS7FvZlmkihmIC2F
-jaAp6NzmW11E50i9YG9i0mFZL6oQX9sOE4sEDtW+oTtWzsyXMwrdPZFYANaWBY+P
-WItPPVu2jj/bntnbLuaI+vRifgJ9JPKIVpDlt3fzxCZxqEWCKOPb9w==
+MIID7zCCAtegAwIBAgIUNL4q4Z2BbDpkpaWRDH7PaAB29ucwDQYJKoZIhvcNAQEL
+BQAwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
+aW5lZXJpbmcxGTAXBgNVBAMMEFRlc3QgVXBzdHJlYW0gQ0EwHhcNMTkwNzAzMjEz
+ODAyWhcNMjEwNzAyMjEzODAyWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
+aWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZ
+MBcGA1UECwwQTHlmdCBFbmdpbmVlcmluZzEZMBcGA1UEAwwQVGVzdCBVcHN0cmVh
+bSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjznOVsev3n7bLR
+BYy5zKbz11p+iydr1gXi9qzMyf1ha3Cv5ZgFeKBGFqO8tDklCX5Ch3dqrUVQlXbt
+xUot33DSHhrTEh4Kz2/yXzooFzQIswIEiOCvLF4eA3u5sIBwU1XD+duCma4lshA4
+Jr8sJv2hAH+IXZRXBIEUt0eKSOhatRQ2k45P3vv2uAGujkmawmtKQGwQOvM3N8fC
+THD0jWoGRIqDiSjS587pgSQv1XXer+4sdS38uRgkverb0sRPhn9xc16SHaCY1bF6
+A6roSzJ/ECmh4DutcDHpiljwd+MO9URMEc8kVQwfXEEJM6nDfhQuArqw1iMHRtRu
+VF7rNBkCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+HQYDVR0OBBYEFGLu2vI0QWiUqb6IGu6plP+Y7UG8MB8GA1UdIwQYMBaAFGLu2vI0
+QWiUqb6IGu6plP+Y7UG8MA0GCSqGSIb3DQEBCwUAA4IBAQC9MQ1DHxSM2ER2j3v6
+QWdeXaAGi98WbdR5m6K4csm75mG/pxcMprJxoZK6upfnWOX0oT3XwBSjd/tWpnYl
+z1krNReYBeHA9kqs4poywawxhcJmj0W/O2u1qf5+Y2aH9SBXiDFLVr3T6udJDR1A
+CYB01qXuWmCDGe0P4kInvGuxSPza6f6A0VcRjOcyvBF7vGmMKiitOS+Z8HE/hchL
+Jt4OBWkfS0/592KQvC4zd7ZNqU+ifgIcftZWh/pO6+sm460IGWiysebt6+fRfwJ6
+gn5mzpytlnnPh32DUmaV4fR6uwrRGgO7d7e/7QPw6DZuH/KmrmJ1kimE+XE/Dm23
+saDl
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/upstreamcakey.pem b/test/config/integration/certs/upstreamcakey.pem
index c9f1c73c7cb89..be84b05c9b79a 100644
--- a/test/config/integration/certs/upstreamcakey.pem
+++ b/test/config/integration/certs/upstreamcakey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEA6aSTHQpvht9BCO5KpJOt+345NCJCIEPRC2dcgJiR6uBz144V
-JrikZSpcNImYwDABMQWlHGWw8P1sq9jJ6Y76sbkKSnMwMO6Aa12Eka/9t15b70Y2
-1SoIOg7H7cIlA7cn1/NxaSnQfsOu6ywIQ5ra6lFG5HpPqEihhDgc52P9DNEPlxtZ
-k6MToWuuFcXUlOrrnFHgq+wGxAnCvda2ngj1ZNu56dj8IFVy+0kgGiy9uxO4iI9w
-WepiNvEDIxCGeN/H5lK+LKZi9O51HsH2uYHJKLm8ViDVY9Y82uRb1WSCS4nsWdU5
-B4pLWb0sRLaAI1tISjkDazaJyZWRxIS5PJW9QQIDAQABAoIBAExI9denjp6EymE2
-HJz7svTIU7kX7mtGeTy19Nfv+MStoGUi+Pj5lIOLfyuQOZWWlu0AoNZSxaEJva+m
-Sta9XlEkz51bWsK/PKLRl/VRdw+l+XJ4hHK5FJKQPOr+VsONy66Qx9jEVFTvY29Z
-oyEfsJaNDw6OeO/DNylKgPV0Ci1ifXQqlS3BAXGzWZ6qRCaSTnX6z7RDBQyojh5Q
-eqIPLP8dtcs2sai93IWHGUCOata3SaGReOW/cfGgLW7x/1vLS/ywNSzkRI582Prt
-w5+yQ39EAINvQlzUOvS+dWzDgpKnRkkh7BL+6v9zEH5uqzeuLLt68vQKLW5tUPwY
-J6BdbjkCgYEA9u8Mbk0NLeLc6dO75/W0hxsgFsaLB4VELQLOo3u8c66XAWxT5mS8
-8K4c8eHXA+i1T/q4ngKBx2hYBWyArrARQVbswXuBebXqp8oOngtb5IOrVDtiSUtH
-bXm5ZYX0xt3cv5F42e8XC8LiuA1CE9sMWQ6Z9kFNeKHZulPyBY7AkAsCgYEA8jia
-iy3Rgqb6yIpx1OA3yr5KPw5VhSWtN6lLTLJwskHgdCR0u2OxI6C1Ok68JIZTZcrL
-CzPTCaySQTkX0a91r4AO/QmolzCX/cNCsHPiz2cdMkxfY99vlllHXK5q1b8mvTpZ
-S1goPGDrifLjf5yWkYNcEsA7seSJVnQsJu5yu2MCgYAmE/K8x5DytHsQa6AcQt1V
-wC8QlAk4XaqHrlkjCJ+kzxVmGMhPTNV937uC6Sp45defv6/cXdKZZ1O7cmHdjjT6
-+GaF53+tvwmyWgwq/uFquYsf8BBV8Q/Qp+aY6zE1wVybBdm28ZGCNMk1TIYV/b9H
-tGK1gJhrs7mZa/x0MvEqxQKBgFRDisfmTZ9lFZNUTltfESmv30ZmZyvluofFllN9
-NCVfM4VT9WQHP2WEj+dT4rHWJQchcFdaVQ1lgo+8G+QvZQKDyzMN/B90oTt/hSC7
-f+jlF0wbM4gb/8bPEjtU1ge78u8bcFr8tSqkEOyxmaEYSW0fxJUlWN7/ASQZUA7P
-Hwy/AoGATg6bpVXwk1c19vkAGZupxGzIhphyWLGgv8ei4kwT/X+yHTjkeRfRR3Nv
-nsX7y8UwN9Qc7segRjzxb6QdKhTtCJ0O0Su33iJk4d3niRlDbr4ZDn/XhSK/eH0x
-g1KfnxxeyEBqzhnKSK57jCuRRTf7IMqUA9/kG+W1PbZ+hDpLfGY=
+MIIEowIBAAKCAQEA2POc5Wx6/eftstEFjLnMpvPXWn6LJ2vWBeL2rMzJ/WFrcK/l
+mAV4oEYWo7y0OSUJfkKHd2qtRVCVdu3FSi3fcNIeGtMSHgrPb/JfOigXNAizAgSI
+4K8sXh4De7mwgHBTVcP524KZriWyEDgmvywm/aEAf4hdlFcEgRS3R4pI6Fq1FDaT
+jk/e+/a4Aa6OSZrCa0pAbBA68zc3x8JMcPSNagZEioOJKNLnzumBJC/Vdd6v7ix1
+Lfy5GCS96tvSxE+Gf3FzXpIdoJjVsXoDquhLMn8QKaHgO61wMemKWPB34w71REwR
+zyRVDB9cQQkzqcN+FC4CurDWIwdG1G5UXus0GQIDAQABAoIBAGeoVjGkGEvSkdbb
+Wex4JdkrLp0VU0V9l5/uZm//1Q7UijIoSOnOy2jAtDZ9hhq7oIKMJQ+gj7NLom5V
+gutDabwNGMc2TDTAc4aIZolx+EwrT+RJ6GB6Mhex/XYTLcrgYGDdJzeDegwkBKUN
+Py4eWW7bi1JkBFpJDWTjUgLDhrxFIXveHkVuLEkJh1dWes3p/ilYSrcbXslXj5Jp
+PpoQYFpWmMy4i21OeElHeWbjvfX5FYJzT4IJ/Xa5p8rghatdXt1MfHumPPQfoC2z
+SQgclMKukpOiSnffFP8FT5YKrxI9vGItNKudwDKxRpWbRsdKXrKbQqI/dzn2WXbc
+N2Q2GKUCgYEA8AfL08abmYPQDGtlN+oiH3iGlZpwkUYp7NUdrMZnr8uZ9sZblw6H
+h91pF1J7DAvtLXtDn9Qdph4XsRwPfbReIpxhH/mArEZCmDCRyd176+rKI4GDEoKt
+VsMUZquzZyUTCtQbWDugSFA9YoGPgNit30SaVQcAtlQVK9tod8I8AEMCgYEA52K8
+w8ovl9xJTHUznSdCDl8xSLvgSHBQK1ElN2B0qapu7U8SViwZ/3uDtfA9lsTSdHsP
+3Rk9Zi5sIIfuIjHz6AfTgoaKfiUFA5Xj0C3+5y35xLOGuMaRN0O6jkhXnlnTzTQL
+4QyRONZTnwZyvOzbAIIr4VN+eG+IYEZfxBDOMnMCgYAb8AxdXeSGfb0ddPKXC31l
+RFYF26/2eMAwfK2zinRPFdeZzYSjlGFaAv9UY5lG0ayNeqdoVvwMdbw0NRvoebHr
+PWBgpF3Br3vY0u5lHI5r6ywT7eMfqG4chyA8wwdingIVZJK6NlZ1lEFQ0duuF4pF
+TmrYMrR2hFrie+sw5T6umQKBgFXrxEyv95xcoJtTqibhPRY5IwPvQAmmKx7qsvct
+SiT2tNpKUnTNS5ojM3WMEFK8I6o9SFbB2JrpAh3SXAs2oWu3/EKr0yGkfYgnUMEt
+U0plOCpiv9Q9aA8th0judBrJIG1CtmaLVCHW9JZIvrKJAYnezIyPhJcUU3/sogMc
+enUhAoGBAIioRk5kmcEBJ7bsj4d75O/zwnBQrZPJk1jhgwHpwt01ZztErOBsW3mi
+Cyn8cNUZ2ZB5aAt+Mz6YdRLDlT2/zLNybz58NxK/1g7mM3vV7Llxfl2SbZimGKI+
+fU6mjK0mUhzKyouutmgS0+evRLDKbB7zIuhxb+eyRuBAZugt6Tqj
 -----END RSA PRIVATE KEY-----
diff --git a/test/config/integration/certs/upstreamcert.cfg b/test/config/integration/certs/upstreamcert.cfg
index 4c6c2985ac486..d17912b9983b6 100644
--- a/test/config/integration/certs/upstreamcert.cfg
+++ b/test/config/integration/certs/upstreamcert.cfg
@@ -34,5 +34,6 @@ authorityKeyIdentifier = keyid:always
 
 [alt_names]
 DNS.1 = *.lyft.com
+DNS.2 = localhost
 IP.1 = 0.0.0.0
 IP.2 = ::
diff --git a/test/config/integration/certs/upstreamcert.pem b/test/config/integration/certs/upstreamcert.pem
index 19d9ced64a22a..815857068546d 100644
--- a/test/config/integration/certs/upstreamcert.pem
+++ b/test/config/integration/certs/upstreamcert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEMzCCAxugAwIBAgIJAOOWZZgU2DxcMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
-c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRkw
-FwYDVQQDDBBUZXN0IFVwc3RyZWFtIENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIx
-NjIwMTgwMFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYw
-FAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBM
-eWZ0IEVuZ2luZWVyaW5nMR0wGwYDVQQDDBRUZXN0IFVwc3RyZWFtIFNlcnZlcjCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALxFMTgM8XOMFueOZ1SFVuEf
-aa/WZs2Tm5OQJBCnQUlSq8QafvT7jg6YqB8ap6AA/LwYn9G6Q/dN+7SlVxEzIZlj
-UspSd5iCuhYVVXpR1PrmYIyl5pDY5nX7eRrMhhgxUSnWf9bt4azu2FH+K89wazV9
-4uw1gpxkw3Ocj9HWiseNz+IE1iwMlSr/1n0jRZFKqnnfveuGByIANRj7DpnNJgZm
-dMenBr4KeJEl/alvESRb0Zf0vWgDfwwUHs4rR7ZQl48Spjd7xjIoAQZ5DY8UKxB0
-BTTzeSkuvuxVSrAYefIIpq15rU4laKBcRkj9f8tvd53DJHWmvsVkCLlA6BkLqnUC
-AwEAAaOBrDCBqTAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAU
-BggrBgEFBQcDAgYIKwYBBQUHAwEwLQYDVR0RBCYwJIIKKi5seWZ0LmNvbYcEAAAA
-AIcQAAAAAAAAAAAAAAAAAAAAADAdBgNVHQ4EFgQU/HB8QxqmxcgL4WPoyewp4ooz
-UhcwHwYDVR0jBBgwFoAUqbsVny7rxHz5IgkTnIe1mx0sWHAwDQYJKoZIhvcNAQEL
-BQADggEBAI1JScIpfxjLV5BrgflVKCjeABBuMGFj3qZOCBuiBbFTt+KOpc9dmfzL
-bDSg9cLRe9MhFqaLFrzqAOZfqwCxB8jsAEMaki4anwm3fefC8D5H8uBB5KckZExk
-/j/y0UYpnH21xvj7Z4M4bOMACTneel2IJ8rTzJD5QbSersbxB7FF/cOEZNt2B94l
-6hkPaZzvzxjwizK6XDnpLPAQnytMPAcrPSAS9wmRPfjGgG4xFcc3EoqJKpCuymTt
-hSLzAsLBP7NOITlgA0iRCU5Ly//TLnmLcA4iAVYQaog21cJYxEbRJTIm9z73/88D
-bf/hoN53Jhgwt+xFK0CKZyahhZGsuXs=
+MIIESTCCAzGgAwIBAgIUbfIyI1ZnSEpWt2x3H7AN8CpKjTEwDQYJKoZIhvcNAQEL
+BQAwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
+aW5lZXJpbmcxGTAXBgNVBAMMEFRlc3QgVXBzdHJlYW0gQ0EwHhcNMTkwNzAzMjEz
+ODAyWhcNMjEwNzAyMjEzODAyWjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
+bGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQx
+GTAXBgNVBAsMEEx5ZnQgRW5naW5lZXJpbmcxHTAbBgNVBAMMFFRlc3QgVXBzdHJl
+YW0gU2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyBGGEYqt
+JR9Acp8GJr7JeegiQYl2v2PVj5pSzUOgfDD+4INCWgFBy1QF2szEe/Wz9xgGQaB5
+79WtlPR8KLpr0CC564qmSrRe/CkfjZQvEM1u6vfYIx41yuuonHX46lFUhYTK6xDb
+HLgjGFzNCaQhQ9flknLnJXWFBajcnYV26rM92Afj1ZVYQP+R61Mn8v76Ud8gVRcD
+yzIA+nWr0gub6+jFFX7+6TuNCe7mcKN5YZoTEVyzQ8BtQUS+FD66yg1U1ireec8o
+7R0+8DkSXPfF/q4Yl8D+sdzefzJlnMRuAjbZgI9lty6owFzzIUkFpq0i9oR6l5wM
+eVZzoL1wp/bNHQIDAQABo4G3MIG0MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgXg
+MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA4BgNVHREEMTAvggoqLmx5
+ZnQuY29tgglsb2NhbGhvc3SHBAAAAACHEAAAAAAAAAAAAAAAAAAAAAAwHQYDVR0O
+BBYEFDeTuAXIZCGmQYPXEKF+M50CQeX5MB8GA1UdIwQYMBaAFGLu2vI0QWiUqb6I
+Gu6plP+Y7UG8MA0GCSqGSIb3DQEBCwUAA4IBAQB+eTBM+sPq3D0mz9ZAPGYA2n4l
+mJMZUS9Bch3LteUUTZc8mBZWzV7mHGEWDdapF+3ykerOM/UVSvremLuicef2f09V
+3ERLNPKyh1aRUv9mjK/yz6wPb3fP3JEINgNS5vK8EF2ccrclmYGfeQGjWLMEL/1h
+Qb2hx5wuDqdqtI6CZ3mKiCzticJ7GGjVy8i1gx6FVFEvliRdnsCkx1NlMV7NiNz8
+eLyv1P9ezbDNPY46tEk6jDzq0lDvniCaJ7Y6ov39TLOugLCBfKv3iF6F0el6i8/y
+q2ai+Sse42haHTv4o4sBdokPxms8vT9ubQWXe4OvB/xLIHROD1HjRkgP5I4q
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/upstreamcert_hash.h b/test/config/integration/certs/upstreamcert_hash.h
index 9b872dc40cb52..453fbac908fcd 100644
--- a/test/config/integration/certs/upstreamcert_hash.h
+++ b/test/config/integration/certs/upstreamcert_hash.h
@@ -1,3 +1,3 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_UPSTREAM_CERT_HASH[] = "89:92:C7:6D:B7:92:42:B3:77:77:6F:77:1C:51:04:1B:D7:27:"
-                                           "25:A7:7E:75:A9:6A:0A:F7:23:F9:F6:50:A5:34";
+constexpr char TEST_UPSTREAM_CERT_HASH[] = "FD:22:22:EF:3A:1D:2F:84:2D:86:26:78:E2:72:60:73:95:6C:"
+                                           "A0:A3:C4:C8:E6:54:AD:E3:2B:C1:10:12:E8:6E";
diff --git a/test/config/integration/certs/upstreamkey.pem b/test/config/integration/certs/upstreamkey.pem
index d5e94728c7f5e..9714fefdaa96c 100644
--- a/test/config/integration/certs/upstreamkey.pem
+++ b/test/config/integration/certs/upstreamkey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAvEUxOAzxc4wW545nVIVW4R9pr9ZmzZObk5AkEKdBSVKrxBp+
-9PuODpioHxqnoAD8vBif0bpD9037tKVXETMhmWNSylJ3mIK6FhVVelHU+uZgjKXm
-kNjmdft5GsyGGDFRKdZ/1u3hrO7YUf4rz3BrNX3i7DWCnGTDc5yP0daKx43P4gTW
-LAyVKv/WfSNFkUqqed+964YHIgA1GPsOmc0mBmZ0x6cGvgp4kSX9qW8RJFvRl/S9
-aAN/DBQezitHtlCXjxKmN3vGMigBBnkNjxQrEHQFNPN5KS6+7FVKsBh58gimrXmt
-TiVooFxGSP1/y293ncMkdaa+xWQIuUDoGQuqdQIDAQABAoIBAAoYQ61XtFKXvlqo
-Hg5AIApuHsKY4mY/deYRon1qGmwODLu1F/2Wx2Us9kbErRw9MU/8mgUq0Z4fBlIH
-U4XOkgyhcLz8cwEwcT3h4vVuEddqJt8jvhsiJilJVJMFSGNfsZRmtfAWTTVykRLE
-aCD1TCpQF6zGqbwtAvXd/TApKsPMVRjjkTRB6lIIW+SFTihpFtLrdfV1ddfkg+br
-pS7OqPzL7bsqPmwzL1ig/aE/aVb9xAsOT4AcrdZ8fUg1jixxiO64jFeGCOs4aT7B
-+NizRRbIWfNR+NNqOLGKncLmVtvrRSdazGTQVU419+G+m8dJey4ZoSpqDtyBU7xj
-zZSZooECgYEA9hLAgm6X7udnypO/1nuqSaLrq2Xd/eVMnirryp5AZ4wxmY6v8F4f
-qJaYxt++qRZTQq+Ijcq4Y88prXPx+s7VWPtugBwR1xawB1qSnb5hPrLAt4DWLiI0
-bzvu4W43AdBjwg0Ayr34awpyAdSQgK72V2HOddn7k6ROltdfchZ7WBECgYEAw91/
-VHs5mQJFAFZJcwoGbRP7cG74E+uqIkNULO24LbAyDK6Mm85jfMvBpfEZRQ6JI3cK
-O61OwKvq5ZKMwqHbTuB2503MsDfIqSiIfLva3HsHB3+qwoxdhu1/9cANV+mKAW41
-TBSRFGvcIKH+u/Mlv/SAnD8O4cy1Q2x6TjQo8CUCgYEAxX6hYU3PxR+WjuDsbAFO
-19DZovOcKuV5C8zY+ALxH+pF+L+rd5ijghR0Q9FZ3a2cX34wc9TLDtg61AqloK2W
-T9dkhY+BxgZge1Z3LAGbXM3snJrby6UKPmh0vhtOLLeLCTiUdSPpGEgG3m8zFwTV
-k6ZdJPsxzfpmVOxAn3lpv3ECgYEAwJDXbAbOpQlfL6qmAe1cTge0UGE5k9RB6/fI
-HXgGeRzeyCsgYNq0Y3CsTerRjlxxJiYWMH/+il07z0ObEowxYsY7AMQztxjRNsZ8
-Ei5bSiPG0G+LQkTgexSrlsCgHcuk/C0PR2J9FNfKj2bVXJH8jlHj1DoG9qbdm5Fe
-Wd7cVOUCgYA77jRopwj89S68Qaz3YbejQmWF8Y4deTnHfPGoj2OQr4XJ5GWC0j8N
-eTMTJMNQFx/Ge3Un9A9wjLP2KRmCHXl16pYBLdej+VPg7WGsOEleV7HrdKjq9daY
-aCz5vX92lnvOhzAJkadAznSMW97nBlxQaCBnAIC+AIQU9Z4ZHzMmaQ==
+MIIEpAIBAAKCAQEAyBGGEYqtJR9Acp8GJr7JeegiQYl2v2PVj5pSzUOgfDD+4INC
+WgFBy1QF2szEe/Wz9xgGQaB579WtlPR8KLpr0CC564qmSrRe/CkfjZQvEM1u6vfY
+Ix41yuuonHX46lFUhYTK6xDbHLgjGFzNCaQhQ9flknLnJXWFBajcnYV26rM92Afj
+1ZVYQP+R61Mn8v76Ud8gVRcDyzIA+nWr0gub6+jFFX7+6TuNCe7mcKN5YZoTEVyz
+Q8BtQUS+FD66yg1U1ireec8o7R0+8DkSXPfF/q4Yl8D+sdzefzJlnMRuAjbZgI9l
+ty6owFzzIUkFpq0i9oR6l5wMeVZzoL1wp/bNHQIDAQABAoIBAQCioewT8mDRXlgr
+VK3RbSGmYVcHY1EOP39o3pAUn7ajfciShOC4/XCYclLYC8Bk69RBNlxPmL3GgjI6
+dYtAKFpfs1qu5+RJsdnMrTkjA6RGylgx1QrzcSlVLL/Bf/y5rSdB6jJxZyBWdjDB
+Kx7ZiXwpBCVwKMtRHfjmIuBDhCyol1/iMIXJ6zqnFYBvlblQ/DR/1QKUuspDLEAa
+Yz6uO381x2DbiuVOiUptVSdDXYJC/Yb5GvR0B1srwn4comL+ORMzJEpAPI/jpaog
+m0A9i7UDHYX2VymJZixwaNvQmCDqMof7rBxgb/Bz9oNt6w/wXXgIB1z3IF/ZSwBA
+zw6xAGoBAoGBAOWnNZvmXAfIrc0SQ1f3CCm34DnrMlsyh2VpK32VGXSVj+Opy5mM
+HFGcktwW8TnwmuIgNXE4dK38gHUIYRUpMgpZbyZyWZ5qfzE0s8JR6w3diT/uxV+8
+zNvgLVBrnHrL0dYi8Y5h2hxWr0AcoErf0blLDhBIGUjSo0Bx288/t6fBAoGBAN8F
+bVv2BfsbOEsVts2xiBexEFAJUYEnfQv//SVSZWhizMDsKwaYb7KlEyGAAqmKgS+B
+yPXCY909L35D05OnRrZiq+mFjCn9Mb4CsN+1pjpodll0INf+eQliYTgq/vGO0MvT
+E/dG0Qz8MFmWsPKKcAB0T0kOJF0FK0S7sOC7VdxdAoGAT053DOd4UJfUrUTpTK9a
+ek2teVLniObiKvsusaeTqtcbYZt5XAUuomBXtvmVRFT6p6xHyFmesZbJJaFHJW+c
+gEZyQ+ypVjOgyPVSPoDbk2Y1x4ZFUtJ4TFYWT/dZim5ogHKAyJKyJ6cnzhQUpsa0
+PjDVInpDgQp8pfyr095FJgECgYByouCGr5x9aY1zEvNHIeU5gFtJOLD7eWfOfkQK
+JiNYF8j1ta+cEUkBA9cklh9INJiY6dZ5dPVOKIA8H/MmZ4pyf5+sRmg4wRwLdmii
+ZUXPqhiDfKzROc3PZBFjBL7NPcLXsmUF6xHT4eGce1fzI/PUV/TVMX7BjcGi7/NI
+YSMORQKBgQDHbLjzAEjZONDzm1nlK3H+nQd+9ieUNHezZPgGJ+q4mCrJSsuHuzkG
+cGzhi0la98p2s7pkjSvNG2jIPOwvZML0Jz588K2hCFLVcj94DTOq0KGjarLtsCwI
+BDXNtedsjX8G1iPC1wooDFEUXdhmOtLkwkQDlUbQ8rmJ2cOTVAr1vg==
 -----END RSA PRIVATE KEY-----
diff --git a/test/extensions/common/dynamic_forward_proxy/mocks.h b/test/extensions/common/dynamic_forward_proxy/mocks.h
index 0d2bfad3f1c7b..8078abada11c4 100644
--- a/test/extensions/common/dynamic_forward_proxy/mocks.h
+++ b/test/extensions/common/dynamic_forward_proxy/mocks.h
@@ -62,6 +62,7 @@ class MockDnsHostInfo : public DnsHostInfo {
   ~MockDnsHostInfo();
 
   MOCK_METHOD0(address, Network::Address::InstanceConstSharedPtr());
+  MOCK_METHOD0(resolvedHost, const std::string&());
   MOCK_METHOD0(touch, void());
 
   Network::Address::InstanceConstSharedPtr address_;
diff --git a/test/extensions/filters/http/dynamic_forward_proxy/BUILD b/test/extensions/filters/http/dynamic_forward_proxy/BUILD
index f3b9f0a3edff7..881a1be457d7f 100644
--- a/test/extensions/filters/http/dynamic_forward_proxy/BUILD
+++ b/test/extensions/filters/http/dynamic_forward_proxy/BUILD
@@ -26,6 +26,9 @@ envoy_extension_cc_test(
 envoy_extension_cc_test(
     name = "proxy_filter_integration_test",
     srcs = ["proxy_filter_integration_test.cc"],
+    data = [
+        "//test/config/integration/certs",
+    ],
     extension_name = "envoy.filters.http.dynamic_forward_proxy",
     deps = [
         "//source/extensions/clusters/dynamic_forward_proxy:cluster",
diff --git a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc
index ae7d163746824..fc25adf69ec92 100644
--- a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc
+++ b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc
@@ -1,3 +1,6 @@
+#include "extensions/transport_sockets/tls/context_config_impl.h"
+#include "extensions/transport_sockets/tls/ssl_socket.h"
+
 #include "test/integration/http_integration.h"
 
 namespace Envoy {
@@ -36,11 +39,19 @@ name: envoy.filters.http.dynamic_forward_proxy
     config_helper_.addFilter(filter);
 
     config_helper_.addConfigModifier(
-        [max_hosts](envoy::config::bootstrap::v2::Bootstrap& bootstrap) {
+        [this, max_hosts](envoy::config::bootstrap::v2::Bootstrap& bootstrap) {
           auto* cluster_0 = bootstrap.mutable_static_resources()->mutable_clusters(0);
           cluster_0->clear_hosts();
           cluster_0->set_lb_policy(envoy::api::v2::Cluster::CLUSTER_PROVIDED);
 
+          if (upstream_tls_) {
+            auto context = cluster_0->mutable_tls_context();
+            auto* validation_context =
+                context->mutable_common_tls_context()->mutable_validation_context();
+            validation_context->mutable_trusted_ca()->set_filename(
+                TestEnvironment::runfilesPath("test/config/integration/certs/upstreamcacert.pem"));
+          }
+
           const std::string cluster_type_config =
               fmt::format(R"EOF(
 name: envoy.clusters.dynamic_forward_proxy
@@ -58,6 +69,35 @@ name: envoy.clusters.dynamic_forward_proxy
 
     HttpIntegrationTest::initialize();
   }
+
+  void createUpstreams() override {
+    if (upstream_tls_) {
+      fake_upstreams_.emplace_back(new FakeUpstream(
+          createUpstreamSslContext(), 0, FakeHttpConnection::Type::HTTP1, version_, timeSystem()));
+    } else {
+      HttpIntegrationTest::createUpstreams();
+    }
+  }
+
+  // TODO(mattklein123): This logic is duplicated in various places. Cleanup in a follow up.
+  Network::TransportSocketFactoryPtr createUpstreamSslContext() {
+    envoy::api::v2::auth::DownstreamTlsContext tls_context;
+    auto* common_tls_context = tls_context.mutable_common_tls_context();
+    auto* tls_cert = common_tls_context->add_tls_certificates();
+    tls_cert->mutable_certificate_chain()->set_filename(
+        TestEnvironment::runfilesPath("test/config/integration/certs/upstreamcert.pem"));
+    tls_cert->mutable_private_key()->set_filename(
+        TestEnvironment::runfilesPath("test/config/integration/certs/upstreamkey.pem"));
+
+    auto cfg = std::make_unique<Extensions::TransportSockets::Tls::ServerContextConfigImpl>(
+        tls_context, factory_context_);
+
+    static Stats::Scope* upstream_stats_store = new Stats::IsolatedStoreImpl();
+    return std::make_unique<Extensions::TransportSockets::Tls::ServerSslSocketFactory>(
+        std::move(cfg), context_manager_, *upstream_stats_store, std::vector<std::string>{});
+  }
+
+  bool upstream_tls_{};
 };
 
 INSTANTIATE_TEST_SUITE_P(IpVersions, ProxyFilterIntegrationTest,
@@ -142,5 +182,31 @@ TEST_P(ProxyFilterIntegrationTest, DNSCacheHostOverflow) {
   EXPECT_EQ(1, test_server_->counter("dns_cache.foo.host_overflow")->value());
 }
 
+// Verify that upstream TLS works with auto verification for SAN as well as auto setting SNI.
+TEST_P(ProxyFilterIntegrationTest, UpstreamTls) {
+  upstream_tls_ = true;
+  setup();
+  codec_client_ = makeHttpConnection(lookupPort("http"));
+  const Http::TestHeaderMapImpl request_headers{
+      {":method", "POST"},
+      {":path", "/test/long/url"},
+      {":scheme", "http"},
+      {":authority",
+       fmt::format("localhost:{}", fake_upstreams_[0]->localAddress()->ip()->port())}};
+
+  auto response = codec_client_->makeHeaderOnlyRequest(request_headers);
+  waitForNextUpstreamRequest();
+
+  const Extensions::TransportSockets::Tls::SslSocket* ssl_socket =
+      dynamic_cast<const Extensions::TransportSockets::Tls::SslSocket*>(
+          fake_upstream_connection_->connection().ssl());
+  EXPECT_STREQ("localhost",
+               SSL_get_servername(ssl_socket->rawSslForTest(), TLSEXT_NAMETYPE_host_name));
+
+  upstream_request_->encodeHeaders(default_response_headers_, true);
+  response->waitForEndStream();
+  checkSimpleRequestSuccess(0, 0, response.get());
+}
+
 } // namespace
 } // namespace Envoy
diff --git a/test/integration/xfcc_integration_test.cc b/test/integration/xfcc_integration_test.cc
index b7e8504864995..2e9a5f12d8a65 100644
--- a/test/integration/xfcc_integration_test.cc
+++ b/test/integration/xfcc_integration_test.cc
@@ -70,16 +70,16 @@ Network::TransportSocketFactoryPtr XfccIntegrationTest::createClientSslContext(b
 }
 
 Network::TransportSocketFactoryPtr XfccIntegrationTest::createUpstreamSslContext() {
-  std::string json = R"EOF(
-{
-  "cert_chain_file": "{{ test_rundir }}/test/config/integration/certs/upstreamcert.pem",
-  "private_key_file": "{{ test_rundir }}/test/config/integration/certs/upstreamkey.pem"
-}
-)EOF";
+  envoy::api::v2::auth::DownstreamTlsContext tls_context;
+  auto* common_tls_context = tls_context.mutable_common_tls_context();
+  auto* tls_cert = common_tls_context->add_tls_certificates();
+  tls_cert->mutable_certificate_chain()->set_filename(
+      TestEnvironment::runfilesPath("test/config/integration/certs/upstreamcert.pem"));
+  tls_cert->mutable_private_key()->set_filename(
+      TestEnvironment::runfilesPath("test/config/integration/certs/upstreamkey.pem"));
 
-  Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json);
   auto cfg = std::make_unique<Extensions::TransportSockets::Tls::ServerContextConfigImpl>(
-      *loader, factory_context_);
+      tls_context, factory_context_);
   static Stats::Scope* upstream_stats_store = new Stats::TestIsolatedStoreImpl();
   return std::make_unique<Extensions::TransportSockets::Tls::ServerSslSocketFactory>(
       std::move(cfg), *context_manager_, *upstream_stats_store, std::vector<std::string>{});

From 84e0a25a3646d1ceedc6529a4ec3cc3145d1f320 Mon Sep 17 00:00:00 2001
From: Matt Klein <mklein@lyft.com>
Date: Mon, 8 Jul 2019 14:46:09 -0700
Subject: [PATCH 2/5] comments

Signed-off-by: Matt Klein <mklein@lyft.com>
---
 test/config/integration/certs/cacert.pem      | 42 ++++++++--------
 test/config/integration/certs/cakey.pem       | 50 +++++++++----------
 test/config/integration/certs/certs.sh        |  2 +
 .../integration/certs/client_ecdsacert.pem    | 40 +++++++--------
 .../integration/certs/client_ecdsacert_hash.h |  4 +-
 .../integration/certs/client_ecdsakey.pem     |  6 +--
 test/config/integration/certs/clientcert.pem  | 48 +++++++++---------
 .../integration/certs/clientcert_hash.h       |  4 +-
 test/config/integration/certs/clientkey.pem   | 50 +++++++++----------
 .../integration/certs/server_ecdsacert.pem    | 40 +++++++--------
 .../integration/certs/server_ecdsacert_hash.h |  4 +-
 .../integration/certs/server_ecdsakey.pem     |  6 +--
 test/config/integration/certs/servercert.pem  | 48 +++++++++---------
 .../integration/certs/servercert_hash.h       |  4 +-
 test/config/integration/certs/serverkey.pem   | 50 +++++++++----------
 .../integration/certs/upstreamcacert.pem      | 36 ++++++-------
 .../integration/certs/upstreamcakey.pem       | 50 +++++++++----------
 .../config/integration/certs/upstreamcert.cfg |  1 -
 .../config/integration/certs/upstreamcert.pem | 38 +++++++-------
 .../integration/certs/upstreamcert_hash.h     |  3 +-
 test/config/integration/certs/upstreamkey.pem | 50 +++++++++----------
 .../certs/upstreamlocalhostcert.cfg           | 38 ++++++++++++++
 .../certs/upstreamlocalhostcert.pem           | 25 ++++++++++
 .../certs/upstreamlocalhostcert_hash.h        |  2 +
 .../certs/upstreamlocalhostkey.pem            | 27 ++++++++++
 25 files changed, 380 insertions(+), 288 deletions(-)
 create mode 100644 test/config/integration/certs/upstreamlocalhostcert.cfg
 create mode 100644 test/config/integration/certs/upstreamlocalhostcert.pem
 create mode 100644 test/config/integration/certs/upstreamlocalhostcert_hash.h
 create mode 100644 test/config/integration/certs/upstreamlocalhostkey.pem

diff --git a/test/config/integration/certs/cacert.pem b/test/config/integration/certs/cacert.pem
index 1dbd3651ac289..021f465ac3ef2 100644
--- a/test/config/integration/certs/cacert.pem
+++ b/test/config/integration/certs/cacert.pem
@@ -1,23 +1,23 @@
 -----BEGIN CERTIFICATE-----
-MIID3TCCAsWgAwIBAgIUEOwYq1WXL3yP6kaKmntCCMg0PogwDQYJKoZIhvcNAQEL
-BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
-DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
-aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTkwNzAzMjEzODAxWhcNMjEw
-NzAyMjEzODAxWjB2MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW
-MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ
-THlmdCBFbmdpbmVlcmluZzEQMA4GA1UEAwwHVGVzdCBDQTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMDu0rL5EOjHz0Hp/3mjeNQSQXBgeHBSHX9klLnf
-2YZLDlF9zLs9EDQ6lu73L3ddHNG5LVFjzkSIxuga+dk8RloZjgLkTxxe1u0GFRJ8
-nuo94FPi8SFsPCnnNw1MbAS5fi9xS/HyO1sWrfG4kvbNwag9vHmLXAiY8mP5hx86
-nNEaNw+FhEuMQ5M2fZuxC3OZWg+gKJWjTMMFGpL6I24DloZWNz7FPCEkoIWAaXDl
-7nQRF/CnCgR2qzZ4taovaI0sz4Io4FbXxrgFp2MGMYho6YxEeqhEcWRkG2QPh/Lf
-WPmbzf2+3p7qQyZ5DpioIxaSvPlcN844Wlhb+poZ8QuzUWUCAwEAAaNjMGEwDwYD
-VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFK5gKQmCW6iN
-Tt/5cJKN2niWLEDiMB8GA1UdIwQYMBaAFK5gKQmCW6iNTt/5cJKN2niWLEDiMA0G
-CSqGSIb3DQEBCwUAA4IBAQA0oYiG8SnI4QylJrke3ydw0sXWS6LyH1WllS+6nAK9
-5qiTL3Q6wqeWroJsRQ8RcmndaGwCn7VvibnH8gwWGmbrTPiJiWaW4WBYKtL3GJSZ
-bnHTFVfCe2TtzouYTzrfSfkh6kLOP/omAyLukIdv1qWJQzD0V8bxjplCqpbh28IM
-lIhgdn+GxjU6bYGA8edEgKgi9FSbv02thnkKlnxlehQSeA7vKXVHjQKo2no35OI7
-wClhbsye75rf6cHdNrK2d/Wkl/khYrpgXwHkC/2u/YFJ3jdhW7LHCDSRTde2YUk5
-oyM3i7peJc9jvVQIBZXM4/o0SiS8HNzPQPAB8rRA5Nyz
+MIID0jCCArqgAwIBAgIJAJxgLCQiz7YlMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
+c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
+DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIxNjIwMTgwMFow
+djELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh
+biBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5l
+ZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCpZHOUq+nidd+Gz44RC80QG9De9jcFUStEMGucXlnvvp2cH3GV4GmO
+IZPdCwasxuruO3VM/Yt8tUAO2OrTQayuL9GXTt8MTpkCrviebMBzjYjbgyLgDpZy
+cMoEJjBx0JsfQV+9IUDROLlIehTYzjcIWuLEOqMjZXQQCOI+jA3CEWZx1TFhRWhi
+9aBnQQzWCSZPV5ErKSSRg2T2Xnuhusue7ETtgSt36hDrOxLhJaeS1/YlovyhX94j
+JPhASK3LutJUDO2tk8L713Y3WHkFzDMfkGrklRbBB/ZKXRRGiJDWElpbUCUVFbuw
+7laBtTn0t74DQxBXqal9sIr9vV7LLQszAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQUM9b2kmz7njy/vuxkzKiwDLZN
+5DAfBgNVHSMEGDAWgBQUM9b2kmz7njy/vuxkzKiwDLZN5DANBgkqhkiG9w0BAQsF
+AAOCAQEAkWqORue+2exZldWbYaDUX3ANP0ATBNIbZM70uTNO8Iy+r5Fvxtae/PsV
+Iac9LzVY5dY5eqIND9wo7osFfxEhJdJn+/tpTU2h9IhsuWMm0Ogj87NS3sy0xwDc
+xBhnVXI8nCDYU3qU3p+AeC0VfEbNb+dRKHH/FL77jvIL64GP/WGxxS9u7LRTUUoR
+g97ZWeayKEsHAicRao4/k3jgpNIUN0BOlkjLvCe1ExU0id5R3UtdITmbuSSe6GJx
+j8xsEV8PxmOIaJ/M+fqE+Zi2Ljp3a+9X/nLakR6ohMNTbrGMQWrGIpFqCj6pIwek
+6Uemmmca+JeVohl8P3enMlW1d6/24w==
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/cakey.pem b/test/config/integration/certs/cakey.pem
index d690a784f6a7f..030b80b3d860b 100644
--- a/test/config/integration/certs/cakey.pem
+++ b/test/config/integration/certs/cakey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAwO7SsvkQ6MfPQen/eaN41BJBcGB4cFIdf2SUud/ZhksOUX3M
-uz0QNDqW7vcvd10c0bktUWPORIjG6Br52TxGWhmOAuRPHF7W7QYVEnye6j3gU+Lx
-IWw8Kec3DUxsBLl+L3FL8fI7Wxat8biS9s3BqD28eYtcCJjyY/mHHzqc0Ro3D4WE
-S4xDkzZ9m7ELc5laD6AolaNMwwUakvojbgOWhlY3PsU8ISSghYBpcOXudBEX8KcK
-BHarNni1qi9ojSzPgijgVtfGuAWnYwYxiGjpjER6qERxZGQbZA+H8t9Y+ZvN/b7e
-nupDJnkOmKgjFpK8+Vw3zjhaWFv6mhnxC7NRZQIDAQABAoIBAAC2YQzMIqXZZwiF
-Rq46Tk3qK1ew44D2rKk1w97T1sfKKyld342pcg/fT4NeYkx8iYi0uFgemDpkjud4
-ggetU00t3vpfwXMHXp/Nb/J7h1KyG8vzgJRxA9/bvLZN2/BAhxjBwFgKXvG9KbNE
-zTYgGGD4qWOBgjt95Rc9aqRQ4RdckcdOWizhbsPN3u8TvYhIzD/8jfR6S8f8tMyL
-wBudrvPqdhQZdem5J0ExJXoI8B8P34/cvN9K7iCWksHl8Jgr0bOsoFFgN0bd6RYx
-K85GUmmLPk5R0cOKeJbsfjiL6P3EnkeZHltcZxT+4kHOiGVxStqSl9oamG2AZRyo
-+T4chxkCgYEA3p85iXDhHdPWYMnO46t3J2M8mWp3nwEqpEp/hJxmRI3THnyFmWip
-WhTQuEX5PHC02PvKy40//hTnghieyHhDebwt8qSL7cnVSk7RxLoBDSvkfMl2NxM3
-VvILhVIH8G5t9K2nXpJjiB7NYTQq+7uDNN/h8+KGRQS5kJCmobmEwXcCgYEA3dwP
-LFOto2Gcr+qO/46pCaUw2CBTmmqYCyxkxZJdP1p0SvFIFdT5Ls1aW0o4sgNds5mR
-atz57zo26yLPk0Uil+VeX/Ez4l0QrV37TagwIDiKdu17oIwqg3+uK9e2C8sQLbZI
-NX34gorhXEPq9JrccPg2HRnEj+9Te/ZRj8KOmwMCgYA4sbADcn3CDNrBl2Na06Xq
-n/kk0NpZ4gAsCtTivrnEp6GmV+vmH6NRT4+//gH1BHbp82W35ObxG/3BQefeAdKd
-Q/EnpAQGsKni3KPLR9tQsWbk6KF0cS5ctBN/Bl8DOfxCnZ7MFNfIKKABKznvFdfa
-NVHjvEKZfRSM3mmxMf+/DQKBgQCrbREwUAv4FUFr0FLj9oh4knKWXQwcYcbPw2Ku
-IrT4cd0v1xW7AM/1sOjjZws9yUoKr1tkdhCNH681qrU3dxEOy0VL3uUXQI/VVawL
-Siy9iNK8qC2BVSy4ZNzgtZHNtP7wQ0uyQX7W55bQow4WKN6yT6gIflOaX/Ni8mX9
-LfjgnwKBgFOTTxnxXgn1eH/KbIvQ8aavUfFzWqa35QA7sCMXJll28CIKk0XsKIET
-oq1+2PTYf+GyckU7vROdngftqS3v3L+bYXmC+4Ka1zKIljPYStavB/I+4jqVMJuA
-XpJ3mliUUtRvte0EpRvbNfxaspqapv74aV1OXD+nxuEOiN5JeSJN
+MIIEpAIBAAKCAQEAqWRzlKvp4nXfhs+OEQvNEBvQ3vY3BVErRDBrnF5Z776dnB9x
+leBpjiGT3QsGrMbq7jt1TP2LfLVADtjq00Gsri/Rl07fDE6ZAq74nmzAc42I24Mi
+4A6WcnDKBCYwcdCbH0FfvSFA0Ti5SHoU2M43CFrixDqjI2V0EAjiPowNwhFmcdUx
+YUVoYvWgZ0EM1gkmT1eRKykkkYNk9l57obrLnuxE7YErd+oQ6zsS4SWnktf2JaL8
+oV/eIyT4QEity7rSVAztrZPC+9d2N1h5BcwzH5Bq5JUWwQf2Sl0URoiQ1hJaW1Al
+FRW7sO5WgbU59Le+A0MQV6mpfbCK/b1eyy0LMwIDAQABAoIBAHFGvYwkUqmgTbRn
+RAfeLmmhUFJpsG2b1CUrhCrzZY1PmTJ4TIr/oVbs2WauIu6TrzNVC6JKw2bIBmhn
+YtGXT5TEYZKfqcUfIm+K9rNq4l/jvCufTEktOCqbhlyz9R2HdNS38QAXJrNDDZSM
+HzjE3kR2EsNKuyHGjJDUgAd3vROTXLuNxhfO+he84NTz6hPlzNOGRJDOnacIp1T1
+qbQdlHhqxJBVyWyjAYR38maBrleLZqV27Fd0sBzuUkU7i6vHRFHp4pD4PAzkzAsS
+DMqCmVF2cM83BT9qz8TcP4wd4+hj9OG2QbIe1zfhUfYS8v/bNqwtIV4WlbyW3P65
+ynXSaAECgYEA0XptQYYrPeSLkEQNLPfDu4BnTE4X65exl8c5+qMWg3aECbdaxWqi
+VmjNlDyzz0w3zzSRShNR7/6fSWULrWwdSCRbpqiU1+xSUrPXCT+tqI9CVqVl452E
+rGHiPZgy7ljb1x/mfrhA8fASrp57Xze4DLqYEUI5fiYBcJRhVqGZvTMCgYEAzwMA
++wbe2qyi9CuiEfDY3sv5+gfLkYUh3yR7dwrdqccAnOgG0nOv4LDwaoW4Fk2aAYdw
+GvutdUntXtVc77Ha613cXCL38w58r890EpQuDoSTvZlo6K7lrB0ZFpUdefvpP5eL
+4hrkRXes4TeshjLT8C+0Fo7+2XbZfWx2ZHrzegECgYEAh3rYwrIVsXfo06tPoi+0
+RcZsCKvRSKvZTkKpuvJTkz7JcsdFS70FtUEfBKql2IKA7eAfv3rzWXaiaoORo93y
+qj/pjsYlTekn7RknEHJAzG2rCAL8/NNZhWvhONkAx6pstJuLJZXhWxhb3NffDtwo
+iwL7at4b9Px7neY5diAaIIUCgYA/OXujL4YA45khWfI16IlUAphmdNsHptGhhVLw
+GLF6mPzm7zamMA8XYPMMlaqTpT/UF7l1hEiF+f41aJTp4Dgsio4y1btE0LfkOkgJ
+JJisdnFpBuGzrzcWSgzPiNtn1jh246IlfHEbhmGWp5pZokx4nxkxiprrcBEc7XN7
+XNHgAQKBgQCgiC8H2bpqmLii5xp0ZyyzUYn6sOar0nmKNcwpoPPIaOXNyIk7Ildn
+3bocdUVFL/oYJFav2cmfeLOaetSEqYzMZO2OzF+OHT3wLBIhUFKgHIuStHUScCAR
+FHsqaZxQEdI187t9xlVPGRYTMnKYdvM8pZXe3VFMrNOwRM01xoqSvw==
 -----END RSA PRIVATE KEY-----
diff --git a/test/config/integration/certs/certs.sh b/test/config/integration/certs/certs.sh
index 8798fe9a50130..d67da84352da9 100755
--- a/test/config/integration/certs/certs.sh
+++ b/test/config/integration/certs/certs.sh
@@ -52,6 +52,8 @@ generate_ca upstreamca
 # Generate cert for the upstream node.
 generate_rsa_key upstream upstreamca
 generate_x509_cert upstream upstreamca
+generate_rsa_key upstreamlocalhost upstreamca
+generate_x509_cert upstreamlocalhost upstreamca
 
 rm *.csr
 rm *.srl
diff --git a/test/config/integration/certs/client_ecdsacert.pem b/test/config/integration/certs/client_ecdsacert.pem
index 7844aad3bddeb..d32aea145091d 100644
--- a/test/config/integration/certs/client_ecdsacert.pem
+++ b/test/config/integration/certs/client_ecdsacert.pem
@@ -1,22 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDpDCCAoygAwIBAgIUASeqOwqThDfvtGc0Yn5U44KFEJ4wDQYJKoZIhvcNAQEL
-BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
-DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
-aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTkwNzAzMjEzODAxWhcNMjEw
-NzAyMjEzODAxWjCBqDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
-FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsM
-EEx5ZnQgRW5naW5lZXJpbmcxGzAZBgNVBAMMElRlc3QgRnJvbnRlbmQgVGVhbTEl
-MCMGCSqGSIb3DQEJARYWZnJvbnRlbmQtdGVhbUBseWZ0LmNvbTBZMBMGByqGSM49
-AgEGCCqGSM49AwEHA0IABEgPDlcKmkbZ377+0JE/t8IfN10w+QCXTyPuP3arOmtL
-WWXF29Ajtwpl77AdmwA5ZDuF+Scv/JGo9vlt8Uk0H5ujgcEwgb4wDAYDVR0TAQH/
-BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
-MEIGA1UdEQQ7MDmGH3NwaWZmZTovL2x5ZnQuY29tL2Zyb250ZW5kLXRlYW2CCGx5
-ZnQuY29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFKbm9TVgGqDdo+6fW6U1SknM
-XkbSMB8GA1UdIwQYMBaAFK5gKQmCW6iNTt/5cJKN2niWLEDiMA0GCSqGSIb3DQEB
-CwUAA4IBAQCIdYsOdCi6B35gWH1ON+LepTdvmW2YcY0vA2srQX7ZOITwgEDHkUxI
-YqnsQA0zd84BaoAl+sCyauEVjm+NOw3cVdqHUtdWHr/DqWznB3JLb6YDwOKWQ2jn
-8N4+NmcZkY8yLivmIOKLn8Z09F2q2c/pAFSMZKiaxatf/S+Qwyd3r/u6Ejhba1Fb
-JBmq799lkYOKVu98W46cfg2ZrOBzDiwNE1JiGzFGta3nNnIXVZ9fHzPsOjU6Xjo4
-mmkmUbf/K2zqm56a4u7ICjqsTOK8ofGp8HJt38IRtzFeX9ul8k4zIOOOA+8VE6oP
-4v2dSeX0ZA71g7ZFvKpBNZmoZ3bEb962
+MIIDmTCCAoGgAwIBAgIJAILStmLgUUcYMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
+c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
+DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIxNjIwMTgwMFow
+gagxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
+YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu
+ZWVyaW5nMRswGQYDVQQDDBJUZXN0IEZyb250ZW5kIFRlYW0xJTAjBgkqhkiG9w0B
+CQEWFmZyb250ZW5kLXRlYW1AbHlmdC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAAT9UPlVN7p2GE0w7a7G7v+AqYYKwpsI1exZyLK4MiEBdiFxnQnjPP0Cfjpq
+8PvQCZdthQ7+WL+HhRirpCHPaVHno4HBMIG+MAwGA1UdEwEB/wQCMAAwCwYDVR0P
+BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATBCBgNVHREEOzA5
+hh9zcGlmZmU6Ly9seWZ0LmNvbS9mcm9udGVuZC10ZWFtgghseWZ0LmNvbYIMd3d3
+Lmx5ZnQuY29tMB0GA1UdDgQWBBQLeMuyYBahRJ6gH43BRFYhMfBYxTAfBgNVHSME
+GDAWgBQUM9b2kmz7njy/vuxkzKiwDLZN5DANBgkqhkiG9w0BAQsFAAOCAQEAEh3S
+cW+nQzgbRCbfDkj+qcEslAOWJc6pNf6npKHtfn78YehVUKOiKkMdqTcW4zuhGjYA
+ifVkoyTgTHyqdxkNdgELIi7/7JDY0N73AgndCpA/F/OqqMHATVtUMzTZzk7EB+yx
+L6KyGuXVH6WtNnJ9Zo+f87FgjCtVZvnWqZKEynqtBRv930UaMkPPXQ/YLsrjkMC0
+VX2cyUG6tblYNxCeT73SRTs07KeT9wXOoZaUNxBJo0zPUYk3D1gEaCVCPMpqIOUF
+kHkEPCdBDeGE1/UT/rPeFcWI+fCpKDU7c41ojMQ4/HxxorecyzBHxCpuqKZFGzD5
++SAdcodf60sCDUt8lA==
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/client_ecdsacert_hash.h b/test/config/integration/certs/client_ecdsacert_hash.h
index 1c33521451d9b..787f4511b3b49 100644
--- a/test/config/integration/certs/client_ecdsacert_hash.h
+++ b/test/config/integration/certs/client_ecdsacert_hash.h
@@ -1,3 +1,3 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_CLIENT_ECDSA_CERT_HASH[] = "49:44:C0:E1:AE:62:C5:4F:92:C1:ED:DD:9A:82:52:A8:A8:"
-                                               "87:CE:AA:24:6A:0A:CB:D6:FC:14:1A:26:53:15:8C";
+constexpr char TEST_CLIENT_ECDSA_CERT_HASH[] = "DC:B2:C0:82:AD:8C:C3:4E:06:2E:65:15:F9:F7:39:D0:4C:"
+                                               "8A:60:AF:1E:B6:01:18:C5:90:AE:AE:47:7D:B8:FC";
diff --git a/test/config/integration/certs/client_ecdsakey.pem b/test/config/integration/certs/client_ecdsakey.pem
index 3b5d6bf6fd9a9..e352e35a540fc 100644
--- a/test/config/integration/certs/client_ecdsakey.pem
+++ b/test/config/integration/certs/client_ecdsakey.pem
@@ -2,7 +2,7 @@
 BggqhkjOPQMBBw==
 -----END EC PARAMETERS-----
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIKavzob3Zji5GSUxn6HJG4zapWF05iN5AHx4CEzzDi8koAoGCCqGSM49
-AwEHoUQDQgAESA8OVwqaRtnfvv7QkT+3wh83XTD5AJdPI+4/dqs6a0tZZcXb0CO3
-CmXvsB2bADlkO4X5Jy/8kaj2+W3xSTQfmw==
+MHcCAQEEIOoeoqRYQ6raBXh0ejEFGvOvP8XNgbKnj7tDYDLFH7t1oAoGCCqGSM49
+AwEHoUQDQgAE/VD5VTe6dhhNMO2uxu7/gKmGCsKbCNXsWciyuDIhAXYhcZ0J4zz9
+An46avD70AmXbYUO/li/h4UYq6Qhz2lR5w==
 -----END EC PRIVATE KEY-----
diff --git a/test/config/integration/certs/clientcert.pem b/test/config/integration/certs/clientcert.pem
index 1e6ef0c351d37..edca455abfba6 100644
--- a/test/config/integration/certs/clientcert.pem
+++ b/test/config/integration/certs/clientcert.pem
@@ -1,26 +1,26 @@
 -----BEGIN CERTIFICATE-----
-MIIEbzCCA1egAwIBAgIUASeqOwqThDfvtGc0Yn5U44KFEJ0wDQYJKoZIhvcNAQEL
-BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
-DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
-aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTkwNzAzMjEzODAxWhcNMjEw
-NzAyMjEzODAxWjCBqDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
-FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsM
-EEx5ZnQgRW5naW5lZXJpbmcxGzAZBgNVBAMMElRlc3QgRnJvbnRlbmQgVGVhbTEl
-MCMGCSqGSIb3DQEJARYWZnJvbnRlbmQtdGVhbUBseWZ0LmNvbTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBALHQs8GmhQ00aR6J2p7kkEdbJe6fSh1uHfCO
-NyawHULFslYpnY03CZdoOM1JxhPXNPWl8mjkt5mTJUMkRhn8D7prI8OUEgZsqTeW
-4CwbwWRhR5WoqsEOqfhK8FhzhSPEp+Jl7PT7gzpFFLl82Tl3cF3YRveGCidk+teM
-xqx5G+WgDL84q6Dk6ZqhBcJDugAmQluUhO+Nai9lWoue1G/gUXhqca23mf8BFgLq
-pzzYzGaHmrgFsXNvJoAs9z9OzWxLxHid55Xiv4kcaByY1sI/Bian1+6YL4BNAiem
-y0Zywm/HfSngTXtgsPL5A+BlMabxquX8M+m5hixQ7F3vLhh0xN0CAwEAAaOBwTCB
-vjAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
-AgYIKwYBBQUHAwEwQgYDVR0RBDswOYYfc3BpZmZlOi8vbHlmdC5jb20vZnJvbnRl
-bmQtdGVhbYIIbHlmdC5jb22CDHd3dy5seWZ0LmNvbTAdBgNVHQ4EFgQUpmwflD7d
-KSfC2PigtxcZwNW1hw0wHwYDVR0jBBgwFoAUrmApCYJbqI1O3/lwko3aeJYsQOIw
-DQYJKoZIhvcNAQELBQADggEBAFtcj3ffmXgXgaQhdqfgp1OyfdJSX1P/1sLWCC0H
-9ikqh+CGvSKZp2feoA7CdopAf1g1wNwqKYAZxF9iAKoFXtgHjaz6AJ6HSL3o+9Bo
-mFuNPLakgPCP0bQatN2BZSJlQ3CkJp6IQahWG9UCmftvS9gHpze/FzJ8r1QpN7Dk
-XMWNAF+BTj/LNNjg2JntGg6056dci/ARdv/fgEb9EcyCTTwCzX0AwaAZvFoiVDRX
-Br88MdOBva+fW1DkADNo+bUiC3iubaDyBWMB3Op4EGv5PoubA9NNyYTP6fK3N6DW
-xOOUkU4SneB6QGZWDG488k/HskBlD1ymPMch6+yCMe3cAHM=
+MIIEZDCCA0ygAwIBAgIJAILStmLgUUcXMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
+c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
+DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIxNjIwMTgwMFow
+gagxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
+YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu
+ZWVyaW5nMRswGQYDVQQDDBJUZXN0IEZyb250ZW5kIFRlYW0xJTAjBgkqhkiG9w0B
+CQEWFmZyb250ZW5kLXRlYW1AbHlmdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQCouLlGbMfpOV5Sh/zbUNo6GHzhpB1Q/UqxzkdmgdF4tzm3w83Q
+qka2/Q4R4/Xi3gmbUlszfw2Ax8ouIbPlx5m/1/ytvUVOcyvksu+ae92WP62nukL3
+RLLt4ctvSiA0i9FeFrNmuM+R/cSdMf9tl20heL2/bgCmIlNr6i+KMsZQlWm3GRna
+rfh8RWwyzqVDLLTvOO+h9jxHfKanN1BwIm0RYHRgxfyehel4av6t9xsylE4dtGvk
+4DO7aO98IfNtn6rHyuIY2g8Wp4Mwbs9Z+uXSCc8/NTCOm9GSvG2hJSMIdqdnETLf
+5eTiRUB3FF4el3nXNhOTFr0iAydL7bIYqkprAgMBAAGjgcEwgb4wDAYDVR0TAQH/
+BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
+MEIGA1UdEQQ7MDmGH3NwaWZmZTovL2x5ZnQuY29tL2Zyb250ZW5kLXRlYW2CCGx5
+ZnQuY29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFJD5l1K7mp/dUUNXvXPBWJ5l
+oJOnMB8GA1UdIwQYMBaAFBQz1vaSbPuePL++7GTMqLAMtk3kMA0GCSqGSIb3DQEB
+CwUAA4IBAQCJOUQB5d8ZCEeMrY0jLwefY8L0UluhPFWNlw1t2LyDjAa8qRNkWJ/2
+bky7IHBMxPQIdYBVPsQGOQ4bkg3S7Eqyc0WZYpLlKEQeUFPG752642GInzjgY3KG
+f1hIHz1quIYARjF5GJ+buZpw3DgcGDnhYygFQDWqgyRnfz84M1ycEx06yHidupyp
+eMHZHXcrSXPcGin7a6tBEppDFm5CcrJQ2hySDVkl9qnbgHr0+0JZg/Qekik4aWv5
+ACWk3wTxIPUv6mc8kbBMRMPkETzWt4m/qdLnUUhFKJdyACPlb6onJe1TGuYJvc2x
+rNV3U8Yo8a1iskQtHqNfc+kqVd3MpgsB
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/clientcert_hash.h b/test/config/integration/certs/clientcert_hash.h
index 72fd53405b4d9..cd77a55df7cf7 100644
--- a/test/config/integration/certs/clientcert_hash.h
+++ b/test/config/integration/certs/clientcert_hash.h
@@ -1,3 +1,3 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_CLIENT_CERT_HASH[] = "7E:B6:DA:8E:39:AF:37:B2:5B:72:49:5E:91:4D:7C:E2:CD:65:9A:"
-                                         "81:51:5D:42:0C:E7:0D:50:55:BC:A4:C9:32";
+constexpr char TEST_CLIENT_CERT_HASH[] = "90:CA:A3:E0:B0:AD:8E:E6:4F:BC:11:6C:7B:E5:9D:35:11:2B:46:"
+                                         "71:5F:4D:5C:52:85:37:23:08:38:28:B4:D6";
diff --git a/test/config/integration/certs/clientkey.pem b/test/config/integration/certs/clientkey.pem
index 2170b63ccc46b..e1b46d735ec62 100644
--- a/test/config/integration/certs/clientkey.pem
+++ b/test/config/integration/certs/clientkey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAsdCzwaaFDTRpHonanuSQR1sl7p9KHW4d8I43JrAdQsWyVimd
-jTcJl2g4zUnGE9c09aXyaOS3mZMlQyRGGfwPumsjw5QSBmypN5bgLBvBZGFHlaiq
-wQ6p+ErwWHOFI8Sn4mXs9PuDOkUUuXzZOXdwXdhG94YKJ2T614zGrHkb5aAMvzir
-oOTpmqEFwkO6ACZCW5SE741qL2Vai57Ub+BReGpxrbeZ/wEWAuqnPNjMZoeauAWx
-c28mgCz3P07NbEvEeJ3nleK/iRxoHJjWwj8GJqfX7pgvgE0CJ6bLRnLCb8d9KeBN
-e2Cw8vkD4GUxpvGq5fwz6bmGLFDsXe8uGHTE3QIDAQABAoIBAQCCKGasRZv3Ano/
-5GCnFl+WG940QV0bFdPMlg1AwIFqsxPLhkLRb4wRzDRn8KyRMWKOvZ4nsePDArav
-4wl9U8ifiHVxYB2hnkBvdH07TEXPmHWx0vjKwFUibphn5od6myTY0AsXeFOif5ag
-AAdxzT/vMbUg0nj0RTJoPZ/f9/a3qaq1sgOk7M72i4kF/Uh7Rnz/oPs5ZZZZpgdJ
-DbxNOIabMqOnqM1fUnRbWmi5Ly/FjInOyFDVeqwq9//SWlEFmgHUwEzXJpopFDAH
-uAoQ8AIB/Aev6u6vs6i0fBOSfVGFGOrSicXd7StCGMCsMUUdpQbKcgOjkC0e9G/G
-H6J4wtpxAoGBAOgYgLOXCASeeLC8xjN0QRs0BCKLFAnaFPc+Ldl8O9NgT7sSf+mv
-dLk3+x0VuvLqBWgqTG5hv7weuOIk14IYd19dp/vgtWS4f7Ui73Em2vBRX13loids
-DPXFXxPCRW0tDulkgZcsoVj3c262ok+OU2W41xyI+EYY2jXgSNhp2OGvAoGBAMQh
-Bq9cnjlN5gjPEU+DmNyVGZnmcbxhX1Mw+2EN30IoG2cJzr9Q78r4UswSHOJG4uW2
-YEYBVkRKgX55l75A7CfkaSh7ax9Y5HUuAE6yoB2ByfOJFfjo13kj0XX+DofxqHYq
-0sRa0B16ReS2vWPtUUuE1D5jvokltMAgHZycq+EzAoGATcGHvKLoqMN+o5dav3o/
-JaHzkK8Pc42AYKSQL8CTOmmVzJKSD/QcIsFCe6gADcmhLhidqo1M8vVH81tsZ8VS
-mLyDvrq1ipzVDBY8KaheyQw56vc3sAVfAiexhqkbIUxrJn3pfIATPf8IyRqenhCM
-mBOo3YJ1yuYglNQjE33CjzkCgYAnlW7O98drU2CJCJm6zZmNc34+RHdSCOj/VlR1
-6yHTLVsSebVDgadT9LhpPYKc3KewqxVVK7HoiI0IJKxOlrXS+1OJ+xbMtdkuGUGw
-oHaWXfqPb2yC1yOd7G+6+7KdF1Xju5LcVGPKf0IZ/hPNVjlhH4birKjo7zZCzHiN
-gkViZwKBgQCbnTaTiO81f/7TYlAHWWDjq8x7nd86hTzbaIh/GUZX7BUPgXtQgAEn
-fEOzvBTP+G6YeXGfCdsR0JAeosumSA/n5/VQuvUEUpb573WjSDuQDsTmJFO99IDs
-U1H44AAK5pFdIybitYyxt227BrNK/sXxlYeSEu3c+5vsIoWRThIbTg==
+MIIEogIBAAKCAQEAqLi5RmzH6TleUof821DaOhh84aQdUP1Ksc5HZoHReLc5t8PN
+0KpGtv0OEeP14t4Jm1JbM38NgMfKLiGz5ceZv9f8rb1FTnMr5LLvmnvdlj+tp7pC
+90Sy7eHLb0ogNIvRXhazZrjPkf3EnTH/bZdtIXi9v24ApiJTa+ovijLGUJVptxkZ
+2q34fEVsMs6lQyy07zjvofY8R3ympzdQcCJtEWB0YMX8noXpeGr+rfcbMpROHbRr
+5OAzu2jvfCHzbZ+qx8riGNoPFqeDMG7PWfrl0gnPPzUwjpvRkrxtoSUjCHanZxEy
+3+Xk4kVAdxReHpd51zYTkxa9IgMnS+2yGKpKawIDAQABAoIBAA1Ivg21cugCBFMr
+MdVywDviwbJiYYyG5OKrAyQnBH8krf6yA/px7a9qrTjrYejC4q7ABT5AuqdxE5Ie
+RTPKS2i3cMWdKV/L4aDYFdVr+z5hNSMHn04oso3YQVQ52d9JQurNjsJ/upgcCub1
+kM7oJUeFYis4VgS+nyLYBXY0GTku6aheM/+Z0xTEvIc3Cfzb94aCqnGwHe+TvxN0
+zCKhm4bUO4HE5UQzHXO9oxMlOlI7hDAUTSfhT0FpOtxnmisl+XFRSGSvJmNbK4jJ
+8dlqIuXsSh4X9NPEnhPz1ieg4+hcUelg5SvSNLNAVQPmm1nNluwYhT41iU+seiiJ
+A3uUJEECgYEA2fAS32IQox/8+OpKPipvR13tHek04AsJSGuNiio8qXlQorlXBRYE
+esOEEYJyKiNWZ7NXTCAjyDiRp48aM62Fy1ykDR4IbDb8JRAdZpJBCjy5U5BKfZTY
+jR3rZOA+8Bivozmtdv+0RGxhffSIGPpB1/4Dgmkw375YLAB4cVffg30CgYEAxjA1
+o8ImIW+9eKTRV2yWUHiUZ4iae5s54nCnz24YqJVLooWtU/TXFKrTiYJs20HBWiG0
++dsJ27LXd0Y13DDQN/ZT/luvWbhMkFYGQ7Ou7XDXB6ujgl6A5MZ7mKfxIv+kX5QM
+F1NTVl3TeUU+6XAYeUf1xmlDjot3sNNv5NdvGgcCgYBRzUnYLP/fqscSSyaY1Oa1
+2+x/mKQvIBVY6H3VCWuBlTaODZE7KHt/9NkilVrytBbfj7JJsZqcsZcCVLVaBly8
+60XsYoR40d6srrLKaEUfaZGKaxN6tZ7ewQc08vLMvgdW9fRFQU9Ri3jAhUN8VJrY
+TtDUZ1Vf9hs0UOzkZj5QJQKBgCfS7iRe0eysGGWSsOIhVr8Ky79WKrylv2bp/j5n
+QBs4DL+2ntKdA08K2IDsLVWNi/3Bgi0mv39fG37DI/V/9YcZP12ALOcZaoEiWBXo
+mEDsCLlo2u1KchoGbDWLoZ/HwM7X3+ob+0YCioj2yiJ8PN66AAADjOiqy71Db1uL
+kq6nAoGAN8dAwrJFQ2mQYKFQrbWt3/x+YHCAvkqIFdVWn9+3/fWZ8Rcwctl/mau/
+7dL5tU/s3wO8KkOH2PTjvtUORZR+e/FGq7hmXVV1lnl7GBENW6THN08xq9e/4Clm
+koYsIpn/e+t2AVR1UENvv9sKwAsDV1yqHwRfUSFtg/qtj7103YY=
 -----END RSA PRIVATE KEY-----
diff --git a/test/config/integration/certs/server_ecdsacert.pem b/test/config/integration/certs/server_ecdsacert.pem
index 02e567c0e70c9..d63b3852359ff 100644
--- a/test/config/integration/certs/server_ecdsacert.pem
+++ b/test/config/integration/certs/server_ecdsacert.pem
@@ -1,22 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDoTCCAomgAwIBAgIUASeqOwqThDfvtGc0Yn5U44KFEJwwDQYJKoZIhvcNAQEL
-BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
-DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
-aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTkwNzAzMjEzODAxWhcNMjEw
-NzAyMjEzODAxWjCBpjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
-FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsM
-EEx5ZnQgRW5naW5lZXJpbmcxGjAYBgNVBAMMEVRlc3QgQmFja2VuZCBUZWFtMSQw
-IgYJKoZIhvcNAQkBFhViYWNrZW5kLXRlYW1AbHlmdC5jb20wWTATBgcqhkjOPQIB
-BggqhkjOPQMBBwNCAAShqRL345Y8/rGeo3vGS6+6zG/e47gOPlEGcmB7bPS/6xs3
-BJofxd82feI44RO/yRFGXswRWPIRxlUZxpR0pIzJo4HAMIG9MAwGA1UdEwEB/wQC
-MAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATBB
-BgNVHREEOjA4hh5zcGlmZmU6Ly9seWZ0LmNvbS9iYWNrZW5kLXRlYW2CCGx5ZnQu
-Y29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFDxk5CgquRk0F4Au2Ud7FUuA85Ed
-MB8GA1UdIwQYMBaAFK5gKQmCW6iNTt/5cJKN2niWLEDiMA0GCSqGSIb3DQEBCwUA
-A4IBAQACI5c0vZfxKG/uvYmsSJgWkVFn8mWXX2beCO07iRyUxWF8CQWoQzb/jbTp
-rZ7VmBcBzesJmagrp+loveFIg5wNHb02gqPFRE2THQC4L9HIs3N5kUmdFwv31v12
-dMJl9xmuFVtgxZqVx15tYaacaHeYTsP6gcS5aIJ3gC0az5EETrlw3/FeBGzCUCy4
-CzzXKe+dRfl9JsIlk/lOgr24ciQNBQPJhw2GH7s3yFP09cDKZpYJ9kbSr8Nlsdvr
-jsIDu/sofI7w6Dja01CKcQ7OwLA66KA+3uveGtomLJNNEaSLSo03PxGBwPboDJW7
-nAHT4YqyVUikKIto3TdMRCGN8zJI
+MIIDljCCAn6gAwIBAgIJAILStmLgUUcWMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
+c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
+DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIxNjIwMTgwMFow
+gaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
+YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu
+ZWVyaW5nMRowGAYDVQQDDBFUZXN0IEJhY2tlbmQgVGVhbTEkMCIGCSqGSIb3DQEJ
+ARYVYmFja2VuZC10ZWFtQGx5ZnQuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAEgVE4DzGyifdO4yefn1bEhFfkTrUjfV3Lay9NQz6D1SosrCnk7KZtl6Nbc/U6
+KiGlN+9GpD0ulKEljgjn7TTtT6OBwDCBvTAMBgNVHRMBAf8EAjAAMAsGA1UdDwQE
+AwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwQQYDVR0RBDowOIYe
+c3BpZmZlOi8vbHlmdC5jb20vYmFja2VuZC10ZWFtgghseWZ0LmNvbYIMd3d3Lmx5
+ZnQuY29tMB0GA1UdDgQWBBQDO72plAAjzF3GWFAC+8fyzUpl0zAfBgNVHSMEGDAW
+gBQUM9b2kmz7njy/vuxkzKiwDLZN5DANBgkqhkiG9w0BAQsFAAOCAQEAppJXn2t3
+7qER7Dj4HjNq3GdASgiLsCgjus5Mbfje4rGbb73WJnsMVpOZtWwC4KyIxDHBzFmR
+ntS3g4eJ3FxFkr5ls+RDzSAyIJBzh/Bwt1Yrkn3Yh3HxgsYy6Rd7z4+hHgaqnrza
+ESdmWHoMGg7AJy17drIDmxAK7Os5qObWxytsrUL+lTIBJ3OS2IDiB2tT/WrRMSx9
+umYff6YsGLsOGtVgRsc640wKex7r468p1tkwj5r2PxvH9V9L3hp9QuH+W4gR6IYe
+HhcCTllp+3iH0vmcXCZRP984nnwRBPP3tBuT+/zmUyDp0UPBHqF+jcHxMB/YA9An
+SziyfTA1g4CzRA==
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/server_ecdsacert_hash.h b/test/config/integration/certs/server_ecdsacert_hash.h
index c1dd376e15c9e..309feff186436 100644
--- a/test/config/integration/certs/server_ecdsacert_hash.h
+++ b/test/config/integration/certs/server_ecdsacert_hash.h
@@ -1,3 +1,3 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_SERVER_ECDSA_CERT_HASH[] = "31:B5:4B:29:D2:D6:2E:B2:8D:7A:48:34:01:E1:47:0A:63:"
-                                               "ED:04:B6:13:41:0F:40:3D:8C:14:21:60:D1:30:8F";
+constexpr char TEST_SERVER_ECDSA_CERT_HASH[] = "95:9A:D0:18:52:40:D9:88:35:B9:52:96:C1:50:86:82:76:"
+                                               "FD:24:AD:48:F9:8F:0C:13:36:BA:2D:36:F2:4C:F3";
diff --git a/test/config/integration/certs/server_ecdsakey.pem b/test/config/integration/certs/server_ecdsakey.pem
index 7de30142e684d..a46830f1a653b 100644
--- a/test/config/integration/certs/server_ecdsakey.pem
+++ b/test/config/integration/certs/server_ecdsakey.pem
@@ -2,7 +2,7 @@
 BggqhkjOPQMBBw==
 -----END EC PARAMETERS-----
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIN3NseGURwGV/ceDjfQ7Pd992CSRQBn1XnVMF0DJmC5WoAoGCCqGSM49
-AwEHoUQDQgAEoakS9+OWPP6xnqN7xkuvusxv3uO4Dj5RBnJge2z0v+sbNwSaH8Xf
-Nn3iOOETv8kRRl7MEVjyEcZVGcaUdKSMyQ==
+MHcCAQEEICqemTBghfUmDlTHDq5GCz5CV51QLvQEkUGOxhtOR6hboAoGCCqGSM49
+AwEHoUQDQgAEgVE4DzGyifdO4yefn1bEhFfkTrUjfV3Lay9NQz6D1SosrCnk7KZt
+l6Nbc/U6KiGlN+9GpD0ulKEljgjn7TTtTw==
 -----END EC PRIVATE KEY-----
diff --git a/test/config/integration/certs/servercert.pem b/test/config/integration/certs/servercert.pem
index 9b7360d7c8cde..f65b3b34ae7c1 100644
--- a/test/config/integration/certs/servercert.pem
+++ b/test/config/integration/certs/servercert.pem
@@ -1,26 +1,26 @@
 -----BEGIN CERTIFICATE-----
-MIIEbDCCA1SgAwIBAgIUASeqOwqThDfvtGc0Yn5U44KFEJswDQYJKoZIhvcNAQEL
-BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
-DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
-aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTkwNzAzMjEzODAxWhcNMjEw
-NzAyMjEzODAxWjCBpjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
-FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsM
-EEx5ZnQgRW5naW5lZXJpbmcxGjAYBgNVBAMMEVRlc3QgQmFja2VuZCBUZWFtMSQw
-IgYJKoZIhvcNAQkBFhViYWNrZW5kLXRlYW1AbHlmdC5jb20wggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQCbw7FJYXO/LDJBZu48DRc6cy9hLOTQbW5t9ld/
-4lTpdwtV9j6WhM/MLcv3FasbI5M8S2jx+fGK+IpuCAJHlh02LeG/CAACsEozT2mT
-U1gJuIwCpGWg49IejYFAiLmKadVH9wuorGzttzkn0th84Ooyh2+YkvlByGaH3/lx
-lb2AWwJ4hfDC35zUU7xZQ6AUfu3Zr7SUonANbB6df0m7VWCQcsLW3iIyyZwZsqtl
-Q+NhPv8SQ6Up/z7/kNh25fK/E48EoKbTe9rROV07c3q/lRSqNhC6V1neMsjHXmyh
-6IioKcPS9mDbpWSwirVicIiWLnBdle88x3c/2DvPuE9pO4T/AgMBAAGjgcAwgb0w
-DAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG
-CCsGAQUFBwMBMEEGA1UdEQQ6MDiGHnNwaWZmZTovL2x5ZnQuY29tL2JhY2tlbmQt
-dGVhbYIIbHlmdC5jb22CDHd3dy5seWZ0LmNvbTAdBgNVHQ4EFgQULwvESNbaZ9m0
-enJLpLp+uj7zTXowHwYDVR0jBBgwFoAUrmApCYJbqI1O3/lwko3aeJYsQOIwDQYJ
-KoZIhvcNAQELBQADggEBAFxDgBL3MDfMeCWMLSLqajvtHqUEnqZabm6TAEPWugJc
-UP2d8pe/uiJQeqKxTUHNTv1XRC5RnUyG+znhm5YYG8yywuhS7ktw4k/eAwD8Ijc5
-nXdvXKByUQhjpx2KIPdQRDAIv/IDvBjrUeQu95Gmo2sT6WOG+5ccGDJmbm3k0fXQ
-+5okV+PD4NQJkzp1QeNpTABIZSxUWphG/mxTuk1lJurXMkmq8ND4yXuhk2hmL3CQ
-sxaBhnlGTRvg8RcOdDsK5/dJ172FtjELZowtMlvAhBI7S9DBv0GxlFjyQTUf1bD1
-7wgmSus4Q1NZzxvo0YWPacCXmPTGRr0uDNgDVGqZGOA=
+MIIEYTCCA0mgAwIBAgIJAILStmLgUUcVMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
+c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
+DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNzIwMTgwMFoXDTIwMTIxNjIwMTgwMFow
+gaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
+YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu
+ZWVyaW5nMRowGAYDVQQDDBFUZXN0IEJhY2tlbmQgVGVhbTEkMCIGCSqGSIb3DQEJ
+ARYVYmFja2VuZC10ZWFtQGx5ZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuvPdQdmwZongPAgQho/Vipd3PZWrQ6BKxIb4l/RvqtVP321IUTLs
+4vVwpXoYJ+12L+XOO3jCInszs53tHjFpTI1GE8/sasmgR6LRr2krwSoVRHPqUoc9
+tzkDG1SzKP2TRTi1MTI3FO+TnLFahntO9Zstxhv1Epz5GZ/xQLE0/LLoRYzcynL/
+iflk18iL1KM8i0Hy4cKjclOaUdnh2nh753iJfxCSb5wJfx4FH1qverYHHT6FopYR
+V40Cg0yYXcYo8yNwrg+EBY8QAT2JOMDokXNKbZpmVKiBlh0QYMX6BBiW249v3sYl
+3Ve+fZvCkle3W0xP0xJw8PdX0NRbvGOrBQIDAQABo4HAMIG9MAwGA1UdEwEB/wQC
+MAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATBB
+BgNVHREEOjA4hh5zcGlmZmU6Ly9seWZ0LmNvbS9iYWNrZW5kLXRlYW2CCGx5ZnQu
+Y29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFLHmMm0DV9jCHJSWVRwyPYpBw62r
+MB8GA1UdIwQYMBaAFBQz1vaSbPuePL++7GTMqLAMtk3kMA0GCSqGSIb3DQEBCwUA
+A4IBAQAwx3/M2o00W8GlQ3OT4y/hQGb5K2aytxx8QeSmJaaZTJbvaHhe0x3/fLgq
+uWrW3WEWFtwasilySjOrFOtB9UNmJmNOHSJD3Bslbv5htRaWnoFPCXdwZtVMdoTq
+IHIQqLoos/xj3kVD5sJSYySrveMeKaeUILTkb5ZubSivye1X2yiJLR7AtuwuiMio
+CdIOqhn6xJqYhT7z0IhdKpLNPk4w1tBZSKOXqzrXS4uoJgTC67hWslWWZ2VC6IvZ
+FmKuuGZamCCj6F1QF2IjMVM8evl84hEnN0ajdkA/QWnil9kcWvBm15Ho+oTvvJ7s
+M8MD3RDSq/90FSiME4vbyNEyTmj0
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/servercert_hash.h b/test/config/integration/certs/servercert_hash.h
index 6a1d263ac3501..6e83ce9705274 100644
--- a/test/config/integration/certs/servercert_hash.h
+++ b/test/config/integration/certs/servercert_hash.h
@@ -1,3 +1,3 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_SERVER_CERT_HASH[] = "95:92:2C:50:C8:A9:8C:DE:2F:EC:3F:26:EC:E5:E1:B1:6A:5C:9F:"
-                                         "90:6B:7F:C9:97:DD:4C:BF:67:F2:11:F7:BA";
+constexpr char TEST_SERVER_CERT_HASH[] = "D3:F5:97:8F:8F:7E:CA:63:C3:FF:61:89:95:D7:47:31:E3:BA:9B:"
+                                         "3C:44:10:A1:57:61:B7:9F:4D:65:90:F8:7F";
diff --git a/test/config/integration/certs/serverkey.pem b/test/config/integration/certs/serverkey.pem
index 377e3b0f5e17c..6870eed5bfc6b 100644
--- a/test/config/integration/certs/serverkey.pem
+++ b/test/config/integration/certs/serverkey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAm8OxSWFzvywyQWbuPA0XOnMvYSzk0G1ubfZXf+JU6XcLVfY+
-loTPzC3L9xWrGyOTPEto8fnxiviKbggCR5YdNi3hvwgAArBKM09pk1NYCbiMAqRl
-oOPSHo2BQIi5imnVR/cLqKxs7bc5J9LYfODqModvmJL5Qchmh9/5cZW9gFsCeIXw
-wt+c1FO8WUOgFH7t2a+0lKJwDWwenX9Ju1VgkHLC1t4iMsmcGbKrZUPjYT7/EkOl
-Kf8+/5DYduXyvxOPBKCm03va0TldO3N6v5UUqjYQuldZ3jLIx15soeiIqCnD0vZg
-26VksIq1YnCIli5wXZXvPMd3P9g7z7hPaTuE/wIDAQABAoIBAH3ZMGYPXIs61CfP
-V/Agy4GoCsHCmeRkZfJmM+/ZF63BRuFfINZP2+wlnEO3uBUnOxBeBR5sSOF1SbL4
-uY7JFDTwARJtDkUd1fV61dv4XIsOFeEUnh/NsbiJr8JKNU5Fj9KjIUJYfXHatU0d
-p1fOCKpmjp2BMe4aUey54zoIN6F5o9Zp5YL4w5x2qjuud1ise6BGorIVfEyZA4ky
-JjPGVFrgsJZZP/gga2zKkCpGqZRsjaDxXZ1MWHcM2ay7eu0JsYh7uyBXx8ruKRlp
-iL3NpHp/Ae7ClL2MHJmphI+wTQb13MI/yVi6HNq/aPV21mOpFZCqG0yjQ4TSXA10
-Vv7854ECgYEAzAzBtlf3jp2mG/wqahJNxEdZhf3HsvbqIJWSjuKL+G7y+VSy+lhU
-w7eykzvWV/8HXCb/tNubE8NZClt0Z/j2lyeFPnZIRbixPnOb2Kvv98KcSHbaAV6T
-UlAZ41LhvdcoND0pOI/jqNWXVf2rMNxxaMDIiWXiLHdnibtxcIAJfV8CgYEAw2vd
-T60386e7kQQ5BMaPocd4IvaK/g6QEglAP40otW7DWbvUHnUlrueLvxAg5SF1xbjT
-EF34Ex9WqC95H+dw4JuSHMIFXwe8bCOBkGxmQoI6aPFdNOoFnsxoNzpoMI2EszKI
-HAXZUdqj1S7pqXqPeIZDqmb6aNhT6jsbjxK3fGECgYEAg0i54c4bU0EPPPYze+em
-7WBSsykjMXw4CxrxHsmX8RHBdrYOKZBniT1Jwf0/3YIShDH7V6vrzP1k7osFDFhc
-n8gnrJaBzYoVT+8mGHQXgztNPjpp7XOiKdWrsl0DLRefoGyxdtjtSxWRtxvs5xUO
-Sq2u2Ogaay2wCif1xsI6WNUCgYA6x/o02jSnTL/FmhCQmC1iCz7evWwHiVfapP+3
-Xf1tvZhzKGVgl/oyxyEo4nASm+LyC2spVCqnjdiiFE2JxDMWzJTBo7a74/bQTEnP
-qFuGC+gH4voXTYFNR8zdN+tZF2hgAoYgb73zuiFnoYnVWbFIHpLB8eHGobN0FD1w
-5r9cYQKBgHccNQw49BZPyZvWUTH04axMBP7IUrZ7H8zwo0Ie/zCyPtPges65781t
-wE7T0i2OJhU2HM9Mvo/CwowLinJRzTdg1j03/NF603KtCujbcWPWVCUvB1i4I9o5
-oisQsUXJTnwDrbEz6zrCAeqL3hquaaEzSjTyj+ZHpP4STo88AysS
+MIIEpAIBAAKCAQEAuvPdQdmwZongPAgQho/Vipd3PZWrQ6BKxIb4l/RvqtVP321I
+UTLs4vVwpXoYJ+12L+XOO3jCInszs53tHjFpTI1GE8/sasmgR6LRr2krwSoVRHPq
+Uoc9tzkDG1SzKP2TRTi1MTI3FO+TnLFahntO9Zstxhv1Epz5GZ/xQLE0/LLoRYzc
+ynL/iflk18iL1KM8i0Hy4cKjclOaUdnh2nh753iJfxCSb5wJfx4FH1qverYHHT6F
+opYRV40Cg0yYXcYo8yNwrg+EBY8QAT2JOMDokXNKbZpmVKiBlh0QYMX6BBiW249v
+3sYl3Ve+fZvCkle3W0xP0xJw8PdX0NRbvGOrBQIDAQABAoIBAQCkPLR1sy47BokN
+c/BApn9sn5/LZH7ujBTjDce6hqzLIVZn6/OKEfj1cbWiSd6KxRv8/B/vMykpbZ5/
+/w9eZP4imEGmChWhwruh8zHOrdAYhEXmuwZxtgnLurQ2AHTcX9hPCYB0Va76H3ZI
+Q65JUm6NaeQOlGT6ExjrIA2rTYJFM84I1xH3XbDulS9S2FXNP9RIjV70HzvZw2LR
+1qSNfrnGAEbUCdrZT4BAYTGam5L061ofencYLAorr8K0eVWhUjGV9Jjpq8aG8zy5
+Oy1070I0d7Iexfu7T1sQDIqpNkOtQxI8feQEKeKlRKYx6YEQ9vaVwBGa0SBVxQem
+E3YdXBnBAoGBAORlz8wlYqCx25htO/eLgr9hN+eKNhNTo4l905aZrG8SPinaHl15
+n+dQdzlJMVm/rh5+VE0NR0U/vzd3SrdnzczksuGFn0Us/Yg+zOl1+8+GFAtqw3js
+udFLKksChz4Rk/fZo2djtSiFS5aGBtw0Z9T7eorubkTSSfJ7IT99HIu5AoGBANGL
+0ff5U2LV/Y/opKP7xOlxSCVI617N5i0sYMJ9EUaWzvquidzM46T4fwlAeIvAtks7
+ACO1cRPuWredZ/gEZ3RguZMxs6llwxwVCaQk/2vbOfATWmyqpGC9UBS/TpYVXbL5
+WUMsdBs4DdAFz8aCrrFBcDeCg4V4w+gHYkFV+LetAoGAB3Ny1fwaPZfPzCc0H51D
+hK7NPhZ6MSM3YJLkRjN5Np5nvMHK383J86fiW9IRdBYWvhPs+B6Ixq+Ps2WG4HjY
+c+i6FTVgvsb69mjmEm+w6VI8cSroeZdvcG59ULkiZFn6c8l71TGhhVLj5mM08hYb
+lQ0nMEUa/8/Ebc6qhQG13rECgYEAm8AZaP9hA22a8oQxG9HfIsSYo1331JemJp19
+rhHX7WfaoGlq/zsrWUt64R2SfA3ZcUGBcQlD61SXCTNuO+LKIq5iQQ4IRDjnNNBO
+QjtdvoVMIy2/YFXVqDIOe91WRCfNZWIA/vTjt/eKDLzFGv+3aPkCt7/CkkqZErWq
+SnXkUGECgYAvkemYu01V1WcJotvLKkVG68jwjMq7jURpbn8oQVlFR8zEh+2UipLB
+OmrNZjmdrhQe+4rzs9XCLE/EZsn7SsygwMyVhgCYzWc/SswADq7Wdbigpmrs+grW
+fg7yxbPGinTyraMd0x3Ty924LLscoJMWUBl7qGeQ2iUdnELmZgLN2Q==
 -----END RSA PRIVATE KEY-----
diff --git a/test/config/integration/certs/upstreamcacert.pem b/test/config/integration/certs/upstreamcacert.pem
index 18eeed4cd9412..c3d5692354bd7 100644
--- a/test/config/integration/certs/upstreamcacert.pem
+++ b/test/config/integration/certs/upstreamcacert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIID7zCCAtegAwIBAgIUNL4q4Z2BbDpkpaWRDH7PaAB29ucwDQYJKoZIhvcNAQEL
+MIID7zCCAtegAwIBAgIUQygBeIE4nv9JGaDKixnhwkK5viEwDQYJKoZIhvcNAQEL
 BQAwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
-aW5lZXJpbmcxGTAXBgNVBAMMEFRlc3QgVXBzdHJlYW0gQ0EwHhcNMTkwNzAzMjEz
-ODAyWhcNMjEwNzAyMjEzODAyWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
+aW5lZXJpbmcxGTAXBgNVBAMMEFRlc3QgVXBzdHJlYW0gQ0EwHhcNMTkwNzA4MjE0
+NTU2WhcNMjEwNzA3MjE0NTU2WjB/MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
 aWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZ
 MBcGA1UECwwQTHlmdCBFbmdpbmVlcmluZzEZMBcGA1UEAwwQVGVzdCBVcHN0cmVh
-bSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjznOVsev3n7bLR
-BYy5zKbz11p+iydr1gXi9qzMyf1ha3Cv5ZgFeKBGFqO8tDklCX5Ch3dqrUVQlXbt
-xUot33DSHhrTEh4Kz2/yXzooFzQIswIEiOCvLF4eA3u5sIBwU1XD+duCma4lshA4
-Jr8sJv2hAH+IXZRXBIEUt0eKSOhatRQ2k45P3vv2uAGujkmawmtKQGwQOvM3N8fC
-THD0jWoGRIqDiSjS587pgSQv1XXer+4sdS38uRgkverb0sRPhn9xc16SHaCY1bF6
-A6roSzJ/ECmh4DutcDHpiljwd+MO9URMEc8kVQwfXEEJM6nDfhQuArqw1iMHRtRu
-VF7rNBkCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
-HQYDVR0OBBYEFGLu2vI0QWiUqb6IGu6plP+Y7UG8MB8GA1UdIwQYMBaAFGLu2vI0
-QWiUqb6IGu6plP+Y7UG8MA0GCSqGSIb3DQEBCwUAA4IBAQC9MQ1DHxSM2ER2j3v6
-QWdeXaAGi98WbdR5m6K4csm75mG/pxcMprJxoZK6upfnWOX0oT3XwBSjd/tWpnYl
-z1krNReYBeHA9kqs4poywawxhcJmj0W/O2u1qf5+Y2aH9SBXiDFLVr3T6udJDR1A
-CYB01qXuWmCDGe0P4kInvGuxSPza6f6A0VcRjOcyvBF7vGmMKiitOS+Z8HE/hchL
-Jt4OBWkfS0/592KQvC4zd7ZNqU+ifgIcftZWh/pO6+sm460IGWiysebt6+fRfwJ6
-gn5mzpytlnnPh32DUmaV4fR6uwrRGgO7d7e/7QPw6DZuH/KmrmJ1kimE+XE/Dm23
-saDl
+bSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJ7AetbhOCUxB/A
+yYt+4rxyMVUFX9izqbOU9nuUxsB/avGhYpVjj5cNaLPdGX+c7g65Vz0yGDSskDGD
+ukcSFqRSZ2E4/S4gKSIMEslBr2OX+Dqh0XmoAwl4IrtZefCE3inivJdzm0JwI7Yr
+k2qQqsTpJnsWkMSxXUQJYTJ56UFXTkKqF3jSReIQtFMV65T/2x2NLRJ8KuMS7Mbo
+BTBATRsUfbJJWCnzcp2LrKV5sZ/HsJLK/F74jdcvfJQMW49Lq1TZaB5NYSVyFEf6
+tiT43JOcvVkRPBgHDtaiDhWF2WTmPSEB6cHaRwGgBFwjQ1SvZR6f6xexocn44GZE
+oSqWJN8CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+HQYDVR0OBBYEFOLTMLryzNAcuxe3cKEhClkL7IduMB8GA1UdIwQYMBaAFOLTMLry
+zNAcuxe3cKEhClkL7IduMA0GCSqGSIb3DQEBCwUAA4IBAQBT88sT8RsoAk6PnnVs
+KWBoC75BnIZr8o1nxBK0zog6Ez4J32aVzEXPicgBg6hf6v77eqbbQ+O7Ayf+YQWj
+l9w9IiXRW1x94tKBrX44O85qTr/xtkfpmQWGKq5fBpdJnZp7lSfGfaG9gasPUNpG
+gfvF/vlYrrJoyvUOG6HQjZ7n7m6f8GEUymCtC68oJcLVL0xkvx/jcvGeJfI5U6yr
+z9nc1W7FcOhrFEetOIH2BwlIN5To3vPbN4zEzt9VPUHZ3m2899hUiMZJaanEexp7
+TZJJ12rHSIJ4MKwQQ5fEmioeluM0uY7EIR72VEsudA8bkXSkbDGs6Q49K9OX+nRB
+4P3c
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/upstreamcakey.pem b/test/config/integration/certs/upstreamcakey.pem
index be84b05c9b79a..2fe99b9c2c105 100644
--- a/test/config/integration/certs/upstreamcakey.pem
+++ b/test/config/integration/certs/upstreamcakey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA2POc5Wx6/eftstEFjLnMpvPXWn6LJ2vWBeL2rMzJ/WFrcK/l
-mAV4oEYWo7y0OSUJfkKHd2qtRVCVdu3FSi3fcNIeGtMSHgrPb/JfOigXNAizAgSI
-4K8sXh4De7mwgHBTVcP524KZriWyEDgmvywm/aEAf4hdlFcEgRS3R4pI6Fq1FDaT
-jk/e+/a4Aa6OSZrCa0pAbBA68zc3x8JMcPSNagZEioOJKNLnzumBJC/Vdd6v7ix1
-Lfy5GCS96tvSxE+Gf3FzXpIdoJjVsXoDquhLMn8QKaHgO61wMemKWPB34w71REwR
-zyRVDB9cQQkzqcN+FC4CurDWIwdG1G5UXus0GQIDAQABAoIBAGeoVjGkGEvSkdbb
-Wex4JdkrLp0VU0V9l5/uZm//1Q7UijIoSOnOy2jAtDZ9hhq7oIKMJQ+gj7NLom5V
-gutDabwNGMc2TDTAc4aIZolx+EwrT+RJ6GB6Mhex/XYTLcrgYGDdJzeDegwkBKUN
-Py4eWW7bi1JkBFpJDWTjUgLDhrxFIXveHkVuLEkJh1dWes3p/ilYSrcbXslXj5Jp
-PpoQYFpWmMy4i21OeElHeWbjvfX5FYJzT4IJ/Xa5p8rghatdXt1MfHumPPQfoC2z
-SQgclMKukpOiSnffFP8FT5YKrxI9vGItNKudwDKxRpWbRsdKXrKbQqI/dzn2WXbc
-N2Q2GKUCgYEA8AfL08abmYPQDGtlN+oiH3iGlZpwkUYp7NUdrMZnr8uZ9sZblw6H
-h91pF1J7DAvtLXtDn9Qdph4XsRwPfbReIpxhH/mArEZCmDCRyd176+rKI4GDEoKt
-VsMUZquzZyUTCtQbWDugSFA9YoGPgNit30SaVQcAtlQVK9tod8I8AEMCgYEA52K8
-w8ovl9xJTHUznSdCDl8xSLvgSHBQK1ElN2B0qapu7U8SViwZ/3uDtfA9lsTSdHsP
-3Rk9Zi5sIIfuIjHz6AfTgoaKfiUFA5Xj0C3+5y35xLOGuMaRN0O6jkhXnlnTzTQL
-4QyRONZTnwZyvOzbAIIr4VN+eG+IYEZfxBDOMnMCgYAb8AxdXeSGfb0ddPKXC31l
-RFYF26/2eMAwfK2zinRPFdeZzYSjlGFaAv9UY5lG0ayNeqdoVvwMdbw0NRvoebHr
-PWBgpF3Br3vY0u5lHI5r6ywT7eMfqG4chyA8wwdingIVZJK6NlZ1lEFQ0duuF4pF
-TmrYMrR2hFrie+sw5T6umQKBgFXrxEyv95xcoJtTqibhPRY5IwPvQAmmKx7qsvct
-SiT2tNpKUnTNS5ojM3WMEFK8I6o9SFbB2JrpAh3SXAs2oWu3/EKr0yGkfYgnUMEt
-U0plOCpiv9Q9aA8th0judBrJIG1CtmaLVCHW9JZIvrKJAYnezIyPhJcUU3/sogMc
-enUhAoGBAIioRk5kmcEBJ7bsj4d75O/zwnBQrZPJk1jhgwHpwt01ZztErOBsW3mi
-Cyn8cNUZ2ZB5aAt+Mz6YdRLDlT2/zLNybz58NxK/1g7mM3vV7Llxfl2SbZimGKI+
-fU6mjK0mUhzKyouutmgS0+evRLDKbB7zIuhxb+eyRuBAZugt6Tqj
+MIIEowIBAAKCAQEAwnsB61uE4JTEH8DJi37ivHIxVQVf2LOps5T2e5TGwH9q8aFi
+lWOPlw1os90Zf5zuDrlXPTIYNKyQMYO6RxIWpFJnYTj9LiApIgwSyUGvY5f4OqHR
+eagDCXgiu1l58ITeKeK8l3ObQnAjtiuTapCqxOkmexaQxLFdRAlhMnnpQVdOQqoX
+eNJF4hC0UxXrlP/bHY0tEnwq4xLsxugFMEBNGxR9sklYKfNynYuspXmxn8ewksr8
+XviN1y98lAxbj0urVNloHk1hJXIUR/q2JPjck5y9WRE8GAcO1qIOFYXZZOY9IQHp
+wdpHAaAEXCNDVK9lHp/rF7GhyfjgZkShKpYk3wIDAQABAoIBAD+CoBvWJUyaCHo+
+IRNW+oCD4ixbtvMzqOWmbd/ptAZFFg2WoHUcsFWp4VlriNoty2gvipfHdjQtbmFd
+HUX8WDyNVIlhbPzVL9mYi8IBm18wz7WGBrxt65/6BY2dKL8tBMg07VWgQUGvEVp6
+XIfeeoYXhaOIuPoi2cxQK9eqDExzvb5AA1AS+FbYcKF1ma2Kb/mO52OQAsPmPnul
+yyosInO2PFdNqlvYd5qOfJdPF1747nn4taigH1CKdDZ86GNufShWvcdiR/uYL/Ln
+vu4Um7Ha05AFl9p+7TPqyuE1+nH1nKOqP8++C5TkDqLhPyzDUxENU50eCpQHhNiK
+Jrvt1VECgYEA+k5E+pyg+Ji4XQnwNMbP2P8jgnFDSL7HfHuE3NfdomvoDit78LFw
+/FzosBpv79lSXh8wplBIs5UwrAqaWoV0GQWoySM27hRDM5/c0xhqWS2c6gMGeUup
+Tn2YvuXTmi1OsIPayTzQ92GeT3Xg+ojLZdqtLmkEJzAtUndww1HlLIUCgYEAxuef
+fXXMfEYCrdEA1cvFGilVxnJXHjzHnky5RUrglwV6wkgfwE18dr4cmOgBte69shvc
+8TS6I+KFffelKjSzm7OAEWEL+pGHKK0ALTBBXUJ3qa0PYSrgbCD1/nI3Q08JLSVV
++Xo5kmIGyLJMsLGkH/CSZCNUj450WDmfdcGrqxMCgYACDwC8OuuL/92MTleeZ4Aw
+HbESEpJmF8OWP4HROylEe7S14R+s1BjEypLTV/RRuazWv1TsGT7v0ytKTvAEDJLu
+3cAMn3CFNr9yvj7XsZy2TQy8U/gKqVekIJ5P+53o57R8+SikfQ6O6kueBa8rAFMD
+7G9+MTjqhZfp1Lels5e57QKBgD4+q9WaMKTPT/VPC6DcRNE8EECq9YJb6OgsAGqj
+1QbNyy3TXkRSu1l5gv+C00446Ro8x/af1oR2VeomvoQnu/FEyhYmNZZzRkW/Zee+
+SyZBL6tkogR5Y4PTCMhYu9yPdkKvhWkuC6g4jwDtczx0SvVH1rgJqmPGY7hcR/+U
+3QELAoGBANxKIoJhDSecjGmjdHBGGmtXHsBZID033Qq6LEPStcHb7aMNdSYCIjZA
+FpfqNYPywrqPOjlUVzM2Erz3gmdd5o3OxgbTkSjJPhndSvw9fCU29Oy0PP7qTXgE
+Ksfuj92ATYeT+wwWZJ5kfhMjmvhPKhOAdi9au27y5tiO5upDeReh
 -----END RSA PRIVATE KEY-----
diff --git a/test/config/integration/certs/upstreamcert.cfg b/test/config/integration/certs/upstreamcert.cfg
index d17912b9983b6..4c6c2985ac486 100644
--- a/test/config/integration/certs/upstreamcert.cfg
+++ b/test/config/integration/certs/upstreamcert.cfg
@@ -34,6 +34,5 @@ authorityKeyIdentifier = keyid:always
 
 [alt_names]
 DNS.1 = *.lyft.com
-DNS.2 = localhost
 IP.1 = 0.0.0.0
 IP.2 = ::
diff --git a/test/config/integration/certs/upstreamcert.pem b/test/config/integration/certs/upstreamcert.pem
index 815857068546d..509397d6caa86 100644
--- a/test/config/integration/certs/upstreamcert.pem
+++ b/test/config/integration/certs/upstreamcert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIESTCCAzGgAwIBAgIUbfIyI1ZnSEpWt2x3H7AN8CpKjTEwDQYJKoZIhvcNAQEL
+MIIEPjCCAyagAwIBAgIUS0ht/ypqxlVqt86GiCya6cw/jJwwDQYJKoZIhvcNAQEL
 BQAwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
-aW5lZXJpbmcxGTAXBgNVBAMMEFRlc3QgVXBzdHJlYW0gQ0EwHhcNMTkwNzAzMjEz
-ODAyWhcNMjEwNzAyMjEzODAyWjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
+aW5lZXJpbmcxGTAXBgNVBAMMEFRlc3QgVXBzdHJlYW0gQ0EwHhcNMTkwNzA4MjE0
+NTU3WhcNMjEwNzA3MjE0NTU3WjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
 bGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQx
 GTAXBgNVBAsMEEx5ZnQgRW5naW5lZXJpbmcxHTAbBgNVBAMMFFRlc3QgVXBzdHJl
-YW0gU2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyBGGEYqt
-JR9Acp8GJr7JeegiQYl2v2PVj5pSzUOgfDD+4INCWgFBy1QF2szEe/Wz9xgGQaB5
-79WtlPR8KLpr0CC564qmSrRe/CkfjZQvEM1u6vfYIx41yuuonHX46lFUhYTK6xDb
-HLgjGFzNCaQhQ9flknLnJXWFBajcnYV26rM92Afj1ZVYQP+R61Mn8v76Ud8gVRcD
-yzIA+nWr0gub6+jFFX7+6TuNCe7mcKN5YZoTEVyzQ8BtQUS+FD66yg1U1ireec8o
-7R0+8DkSXPfF/q4Yl8D+sdzefzJlnMRuAjbZgI9lty6owFzzIUkFpq0i9oR6l5wM
-eVZzoL1wp/bNHQIDAQABo4G3MIG0MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgXg
-MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA4BgNVHREEMTAvggoqLmx5
-ZnQuY29tgglsb2NhbGhvc3SHBAAAAACHEAAAAAAAAAAAAAAAAAAAAAAwHQYDVR0O
-BBYEFDeTuAXIZCGmQYPXEKF+M50CQeX5MB8GA1UdIwQYMBaAFGLu2vI0QWiUqb6I
-Gu6plP+Y7UG8MA0GCSqGSIb3DQEBCwUAA4IBAQB+eTBM+sPq3D0mz9ZAPGYA2n4l
-mJMZUS9Bch3LteUUTZc8mBZWzV7mHGEWDdapF+3ykerOM/UVSvremLuicef2f09V
-3ERLNPKyh1aRUv9mjK/yz6wPb3fP3JEINgNS5vK8EF2ccrclmYGfeQGjWLMEL/1h
-Qb2hx5wuDqdqtI6CZ3mKiCzticJ7GGjVy8i1gx6FVFEvliRdnsCkx1NlMV7NiNz8
-eLyv1P9ezbDNPY46tEk6jDzq0lDvniCaJ7Y6ov39TLOugLCBfKv3iF6F0el6i8/y
-q2ai+Sse42haHTv4o4sBdokPxms8vT9ubQWXe4OvB/xLIHROD1HjRkgP5I4q
+YW0gU2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+evHY2ld
+y4iKlGEHtenqIK26QeFpU9t2iqiRjUz0+lZ+92haR+I+x1nL41SO71i2SaHp8L2Q
+5cWkOS0zuYivsZSz/l9dHinAS+N50QsERo01moWOMyxfqSEbnZHMQS4OI/mf1dja
+Rykp7zhCXie2BlUtmiBMW+YnvLmBm1z6icwg7ZBJ8mt2ChpeH6qBggzwQQms9wvK
+/mcHR5HYHalLQdjhou3wwa6MB9bbeEoDd8I0tueRgnrq55mVJrm3yg1TSgUwkWCB
+J3VUrvdk3olgGwHv4njAB+uNfUn3od7MuipyHL8GJQJHOcus63M/Ax/UVxu0BiDy
+LfWW4MVO/5OX5QIDAQABo4GsMIGpMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgXg
+MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAtBgNVHREEJjAkggoqLmx5
+ZnQuY29thwQAAAAAhxAAAAAAAAAAAAAAAAAAAAAAMB0GA1UdDgQWBBR3BvXiz3zi
+p+/5cojIhCEz3nn39jAfBgNVHSMEGDAWgBTi0zC68szQHLsXt3ChIQpZC+yHbjAN
+BgkqhkiG9w0BAQsFAAOCAQEAEB9RWuGIcRhZMM2AqXyOr4FOG63yfVg4fi3/WIcu
+p7iVPhtdByefx4FQxg7913rdJyeQrI+hab0uPl/CjylwMVwWtBqRx4oKo8im59/4
+N7MRYZKJ44/fBSIGoM0pibSpDzfd7y6Drusp1mqi3CXGPXsVFIDQ66d7yoFt+t7h
+nB2A565e/C1eXaS80XTHeJzfS5dJ6ssjgyszTGM5PdN9C335pDGfQV0CqGNAMZqo
+tbBI1B0NgQ2KJJ787Wi3pexxi3haliMNrSKEAkLVDZ6R0a1PgpN/hBth3Nf2Oj+O
++pBNtkiA0fnkoKS6ps9Vgj+NB08OLeYNpfGFHa9xxFdPoA==
 -----END CERTIFICATE-----
diff --git a/test/config/integration/certs/upstreamcert_hash.h b/test/config/integration/certs/upstreamcert_hash.h
index 453fbac908fcd..8513c994d7579 100644
--- a/test/config/integration/certs/upstreamcert_hash.h
+++ b/test/config/integration/certs/upstreamcert_hash.h
@@ -1,3 +1,2 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_UPSTREAM_CERT_HASH[] = "FD:22:22:EF:3A:1D:2F:84:2D:86:26:78:E2:72:60:73:95:6C:"
-                                           "A0:A3:C4:C8:E6:54:AD:E3:2B:C1:10:12:E8:6E";
+constexpr char TEST_UPSTREAM_CERT_HASH[] = "57:0E:EF:74:60:9C:8E:3D:AA:EA:3F:3E:02:69:89:40:E6:00:AD:CA:86:69:73:BA:9E:0B:01:A2:E2:F3:75:7F";
diff --git a/test/config/integration/certs/upstreamkey.pem b/test/config/integration/certs/upstreamkey.pem
index 9714fefdaa96c..58945f2125add 100644
--- a/test/config/integration/certs/upstreamkey.pem
+++ b/test/config/integration/certs/upstreamkey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyBGGEYqtJR9Acp8GJr7JeegiQYl2v2PVj5pSzUOgfDD+4INC
-WgFBy1QF2szEe/Wz9xgGQaB579WtlPR8KLpr0CC564qmSrRe/CkfjZQvEM1u6vfY
-Ix41yuuonHX46lFUhYTK6xDbHLgjGFzNCaQhQ9flknLnJXWFBajcnYV26rM92Afj
-1ZVYQP+R61Mn8v76Ud8gVRcDyzIA+nWr0gub6+jFFX7+6TuNCe7mcKN5YZoTEVyz
-Q8BtQUS+FD66yg1U1ireec8o7R0+8DkSXPfF/q4Yl8D+sdzefzJlnMRuAjbZgI9l
-ty6owFzzIUkFpq0i9oR6l5wMeVZzoL1wp/bNHQIDAQABAoIBAQCioewT8mDRXlgr
-VK3RbSGmYVcHY1EOP39o3pAUn7ajfciShOC4/XCYclLYC8Bk69RBNlxPmL3GgjI6
-dYtAKFpfs1qu5+RJsdnMrTkjA6RGylgx1QrzcSlVLL/Bf/y5rSdB6jJxZyBWdjDB
-Kx7ZiXwpBCVwKMtRHfjmIuBDhCyol1/iMIXJ6zqnFYBvlblQ/DR/1QKUuspDLEAa
-Yz6uO381x2DbiuVOiUptVSdDXYJC/Yb5GvR0B1srwn4comL+ORMzJEpAPI/jpaog
-m0A9i7UDHYX2VymJZixwaNvQmCDqMof7rBxgb/Bz9oNt6w/wXXgIB1z3IF/ZSwBA
-zw6xAGoBAoGBAOWnNZvmXAfIrc0SQ1f3CCm34DnrMlsyh2VpK32VGXSVj+Opy5mM
-HFGcktwW8TnwmuIgNXE4dK38gHUIYRUpMgpZbyZyWZ5qfzE0s8JR6w3diT/uxV+8
-zNvgLVBrnHrL0dYi8Y5h2hxWr0AcoErf0blLDhBIGUjSo0Bx288/t6fBAoGBAN8F
-bVv2BfsbOEsVts2xiBexEFAJUYEnfQv//SVSZWhizMDsKwaYb7KlEyGAAqmKgS+B
-yPXCY909L35D05OnRrZiq+mFjCn9Mb4CsN+1pjpodll0INf+eQliYTgq/vGO0MvT
-E/dG0Qz8MFmWsPKKcAB0T0kOJF0FK0S7sOC7VdxdAoGAT053DOd4UJfUrUTpTK9a
-ek2teVLniObiKvsusaeTqtcbYZt5XAUuomBXtvmVRFT6p6xHyFmesZbJJaFHJW+c
-gEZyQ+ypVjOgyPVSPoDbk2Y1x4ZFUtJ4TFYWT/dZim5ogHKAyJKyJ6cnzhQUpsa0
-PjDVInpDgQp8pfyr095FJgECgYByouCGr5x9aY1zEvNHIeU5gFtJOLD7eWfOfkQK
-JiNYF8j1ta+cEUkBA9cklh9INJiY6dZ5dPVOKIA8H/MmZ4pyf5+sRmg4wRwLdmii
-ZUXPqhiDfKzROc3PZBFjBL7NPcLXsmUF6xHT4eGce1fzI/PUV/TVMX7BjcGi7/NI
-YSMORQKBgQDHbLjzAEjZONDzm1nlK3H+nQd+9ieUNHezZPgGJ+q4mCrJSsuHuzkG
-cGzhi0la98p2s7pkjSvNG2jIPOwvZML0Jz588K2hCFLVcj94DTOq0KGjarLtsCwI
-BDXNtedsjX8G1iPC1wooDFEUXdhmOtLkwkQDlUbQ8rmJ2cOTVAr1vg==
+MIIEpAIBAAKCAQEA+evHY2ldy4iKlGEHtenqIK26QeFpU9t2iqiRjUz0+lZ+92ha
+R+I+x1nL41SO71i2SaHp8L2Q5cWkOS0zuYivsZSz/l9dHinAS+N50QsERo01moWO
+MyxfqSEbnZHMQS4OI/mf1djaRykp7zhCXie2BlUtmiBMW+YnvLmBm1z6icwg7ZBJ
+8mt2ChpeH6qBggzwQQms9wvK/mcHR5HYHalLQdjhou3wwa6MB9bbeEoDd8I0tueR
+gnrq55mVJrm3yg1TSgUwkWCBJ3VUrvdk3olgGwHv4njAB+uNfUn3od7MuipyHL8G
+JQJHOcus63M/Ax/UVxu0BiDyLfWW4MVO/5OX5QIDAQABAoIBAFqMy9w/8+TnntYt
+5b5KdzLJ3x85jZD9hhCtDLd2d5gwOKZpX7SFy5ss9Mtz+qnLqZg6GunHtTUbC+pP
+b1s8o/OiXii+4p0oIW0diShtZmothYtr8l6mKC6+OSQ5DBldl2//ZKL1g/ieeHwd
+FSbKGpBm0jPymdf+Js2hJM1mvbuoy8ZxkdAtuYA/7tqQVG3/yFfB9Hm9JmGjU5iH
+2m0qrZsch0pusKvw7zwoPshLcNvDeIt/i1gkoCNi5ZSxQ/Ow4dHaxSuQyggbzhn4
+j0SHpGtRhrOkccxKmc8EDxZynWYb5nCPAOSsb5SOtXMDrJdZUi0c9a2ZYLpcjz9m
+RJH7a8ECgYEA/a0hrbUq43wNUuFeGs7W42u+R4L+bQ8aGF7MRkcF1CFfP9aYkebH
+7DIt5Tz4ESCUKdM8SZLm1L+JsSQDq3T/8S+UrQpAvH/0FDbChGXe7mPTveMa7mTo
+/l4gQ0BtqSknj68I0NGM30yuk1OdIRRFMFWEJZvRvb43JCDS2NRPnHUCgYEA/DXX
+WNk9aABvW1IlCf0iufwHOWINNvaELHX1LhRhpgF/zinOjN+QBxibLyEQwD+x3zcH
+SiN6xOt+KUuM+b7yeoPJhfMyCTENrMezOun89tTnpI6SYiPn6ugHeR8hQHPKe2X3
+T6sCY6KnzN29j8LICZJGRKeqKZUm006Lcoh1X7ECgYEAnRzztPB2Bbq5TdHDRPtC
+YExE52mcRtOJp/perlAirgWVRqaUjBjRTdquTkJ6qbDx0w2/Uxom2TFgCFRz6Wdn
+dWuwu5OUEKt28mYQB4xIjIFLjVnxPiFFpPWLKdvnj1Or6vPPk/WVOF/358trkCdL
+yunMFLbzKn97C2dA74ZfYFkCgYEAvslb5fIv6YSquEIjkrLSmi50qIvrwzAoPBnf
+JsR0OcfYjnRBs39KzJNokPZKXaPRQjG2afb84Anknghw1FwFwXf/8jxOFXXuCk3m
+3yIyIeZcdLcFNQhEYAa14IIT/VWaTk6MDtAmNojMtsTmqOGHwPXOAhFzP5F8lUxN
+YI6pe4ECgYA/Q3cX3R2P0WZq19+0IASRzuxSeIuT/Pw51/1qnESkFw5HvQ9HFSmT
+J2lvWI0N4oyCBEuynVPFneR2lK2FN7ZOIVlQMFNQ6nJDFwvTQr4cXHn0eURTKKf1
+frP8QXXeP9rdsoo9veCciJpHZz22vpVE7FZlC0WDTOTl1kltO2z78A==
 -----END RSA PRIVATE KEY-----
diff --git a/test/config/integration/certs/upstreamlocalhostcert.cfg b/test/config/integration/certs/upstreamlocalhostcert.cfg
new file mode 100644
index 0000000000000..fbea513733e9b
--- /dev/null
+++ b/test/config/integration/certs/upstreamlocalhostcert.cfg
@@ -0,0 +1,38 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+countryName_default = US
+stateOrProvinceName = California
+stateOrProvinceName_default = California
+localityName = San Francisco
+localityName_default = San Francisco
+organizationName = Lyft
+organizationName_default = Lyft
+organizationalUnitName = Lyft Engineering
+organizationalUnitName_default = Lyft Engineering
+commonName = Test Upstream Server
+commonName_default = Test Upstream Server
+commonName_max  = 64
+
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+subjectKeyIdentifier = hash
+
+[v3_ca]
+basicConstraints = critical, CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+[alt_names]
+DNS.2 = localhost
+IP.1 = 0.0.0.0
+IP.2 = ::
diff --git a/test/config/integration/certs/upstreamlocalhostcert.pem b/test/config/integration/certs/upstreamlocalhostcert.pem
new file mode 100644
index 0000000000000..e34ab833d86c7
--- /dev/null
+++ b/test/config/integration/certs/upstreamlocalhostcert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEPTCCAyWgAwIBAgIUS0ht/ypqxlVqt86GiCya6cw/jJ0wDQYJKoZIhvcNAQEL
+BQAwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
+aW5lZXJpbmcxGTAXBgNVBAMMEFRlc3QgVXBzdHJlYW0gQ0EwHhcNMTkwNzA4MjE0
+NTU3WhcNMjEwNzA3MjE0NTU3WjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
+bGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQx
+GTAXBgNVBAsMEEx5ZnQgRW5naW5lZXJpbmcxHTAbBgNVBAMMFFRlc3QgVXBzdHJl
+YW0gU2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAujOqV+UB
+T8oKxxnIlgKMPn10hIZxOOEzA96CDMQtQ2+180HLfSTErLWzQFNeP6jRDcbXTN0w
+tYJlIUmVJtPaj7Dh4VvpORhRwAPZt9bkHcKKFCIaGYj61YCv3YpNyBSfJ0vwgATD
+Yn6I2R8nobMKau/hMk4SpPZ6Z3pwSEt0GHd9/cE7t1WvE4BhqIjznexeFO+YrgvF
+2ea4j7u4hJxezZhzAqOUyqtlbfkHQwXXzg/93PxBY5Y1mUPszjY+doGhW3DfTI1O
+qgU2OfAoFZ6SKtUphUG/gt5DKHvKeARCWMEaUXC9UkyzhSNIl7s8qnRzweZwyOIk
+KClryNQCtTjHOwIDAQABo4GrMIGoMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgXg
+MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAsBgNVHREEJTAjgglsb2Nh
+bGhvc3SHBAAAAACHEAAAAAAAAAAAAAAAAAAAAAAwHQYDVR0OBBYEFPlBuX/WSFDb
++nUGMLTu7svrrtolMB8GA1UdIwQYMBaAFOLTMLryzNAcuxe3cKEhClkL7IduMA0G
+CSqGSIb3DQEBCwUAA4IBAQCgknWXc/Iz/Av6inDxGOncsNlYehKU+UBoR69HlcUE
+AEOW7nFaPey5zLL3dgTJd1nOe0u97yT5Hoy9b7O9z5cBWHkNYqFh2oEZKXeDtS81
+z/N4ZQuPxxAlS4d7krAsQNB2vjMFp81eGude680twbto6LKRg9iJMv+AeEJD9p0j
+ubeZA20j8YV8Aijm/kNe82d+TQYULxQeLo5QM6VU0pK2VcCunHywcYFc/t99Ync6
+NaqGrxOu6Jfduzg0TsZsIX7GveYC4dmx3CK1qOSB7SE2SVQjAITZL7gIvbLQPEKu
+XJrmpIIhgUw+AgPq7D8JEaLoYERCRQLWt4v/yVus2Tgd
+-----END CERTIFICATE-----
diff --git a/test/config/integration/certs/upstreamlocalhostcert_hash.h b/test/config/integration/certs/upstreamlocalhostcert_hash.h
new file mode 100644
index 0000000000000..fdd5cb3b72211
--- /dev/null
+++ b/test/config/integration/certs/upstreamlocalhostcert_hash.h
@@ -0,0 +1,2 @@
+// NOLINT(namespace-envoy)
+constexpr char TEST_UPSTREAMLOCALHOST_CERT_HASH[] = "5B:5C:02:47:DE:17:B7:1B:98:05:0A:DB:41:2C:F6:8F:65:E3:86:E6:03:B3:9A:EC:67:33:2E:39:1F:05:88:B0";
diff --git a/test/config/integration/certs/upstreamlocalhostkey.pem b/test/config/integration/certs/upstreamlocalhostkey.pem
new file mode 100644
index 0000000000000..7bf369f08b6d3
--- /dev/null
+++ b/test/config/integration/certs/upstreamlocalhostkey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAujOqV+UBT8oKxxnIlgKMPn10hIZxOOEzA96CDMQtQ2+180HL
+fSTErLWzQFNeP6jRDcbXTN0wtYJlIUmVJtPaj7Dh4VvpORhRwAPZt9bkHcKKFCIa
+GYj61YCv3YpNyBSfJ0vwgATDYn6I2R8nobMKau/hMk4SpPZ6Z3pwSEt0GHd9/cE7
+t1WvE4BhqIjznexeFO+YrgvF2ea4j7u4hJxezZhzAqOUyqtlbfkHQwXXzg/93PxB
+Y5Y1mUPszjY+doGhW3DfTI1OqgU2OfAoFZ6SKtUphUG/gt5DKHvKeARCWMEaUXC9
+UkyzhSNIl7s8qnRzweZwyOIkKClryNQCtTjHOwIDAQABAoIBABS0H/Gr9exgQ7iF
+pmb/m4ZrPqRpqncvmxOIDx/KRFomNq34l96vUur9PRQe8PDVHYGRpWjXg037VLFR
+1DLABaJKgaMkLBd8G8Lk6rVlQHIKqn24mPxT3cgVifhxI1rm6BdfeztQzETMWv0B
+WM/C75qaV4jXY31SJqQQ2iE/uoXpuqHtBqxVE9TnBi0NvN2ZXlcxGgwnv7SYKrkE
+4c9M5q0F5mJAAkHsrgyyQY18/op/vtQGbKvsdkuT9ihzruaeXxB6M04nevxdDn3r
+dC5GUz05c+GCqCmMppU2gRPKYH0t/mvXfZhoGiOujfhTUbiIjQBle1kaxXmZl7Zr
+Kz+lO+kCgYEA8IOstfsxJ6Zdf4Xvqi6MLr3MKZT3MmSpKT1dOixzYtD1IS1qc0hF
+t4+SNhlP1ny5TlFF12356AC4TMM+kjlhCu9uAsvjqI5M/XSQ00SvybADbYoQc7jy
+v9d69AEPOslmfQ7GYDAlFKT5NTK6tXEVpX1MIs6+LSl2pi4emtW7EzUCgYEAxjDG
+Db/yEzanLyPC2Yfjk8KotnmprVZmXvmSWl0frOjWxbmYq2auVMNgBysY0+k8OHWk
+MQjtjbVqA5b4Ze5Rm0Z7XlWieioxLt1naG3Gb0NAtaivmouaovlrIlZf7GtT4haC
+Q4/GN9gGUxdjLLJRJ/WcdOG4X4gp7Opj19eazq8CgYAXVF5rZIs3El8dYIuH0W4N
+lqF4Ixf7TmJOOsKRQwCKRESSzEn4FrmUfZusHbZt0rlSzHVe2S8VfwRhhcrK+j/c
+hK8CHG7fybXUG/t0UsROZwFeHbdM0lLRowAtLPEiPajwVn+Nkv31y67UpzAPK4Hz
+BH1fHvi5fr0gj3auhC7aRQKBgEEAAhTEXSp8BDzrp54ceUEe2KJwKHwXGCASDjPg
+0uCsxLO4eR/N32MhaL8xHUVy+zMxMhZ67R5K32gp/XHAxbb9WLzJrS4P5G2QY7fW
+OPyIvBJYLq+rFZ5Z2w858N/jG3HNHA/4eXQbP4fE5dvk58UJQrT6yrNaPxXakcBa
+kAU1AoGBAJSSjgV9kR2tGzhBFqL0K11E5GP9uzO3sib3Zd7gtOJTO1cvJaLES3BV
+Q6sxR9gPJ5cSpTXCNbaJwZ+jAsTfhJj8PE15am/JG7d7xZkflZIdfSf9/23g26w1
+dagOuDPRC2mcbjzprdPRLbNk3NfI/Llw+CboMP6R/smOYf/HRpS9
+-----END RSA PRIVATE KEY-----

From bc40be96dd8339f91cc194d9908e170bc0effa81 Mon Sep 17 00:00:00 2001
From: Matt Klein <mklein@lyft.com>
Date: Tue, 9 Jul 2019 12:59:18 -0700
Subject: [PATCH 3/5] comments

Signed-off-by: Matt Klein <mklein@lyft.com>
---
 source/common/upstream/logical_host.h         | 92 +++++++++++++++++++
 .../clusters/dynamic_forward_proxy/cluster.cc | 83 +----------------
 test/common/upstream/BUILD                    |  9 ++
 test/common/upstream/logical_host_test.cc     | 79 ++++++++++++++++
 test/config/integration/certs/README.md       |  4 +
 .../integration/certs/upstreamcert_hash.h     |  3 +-
 .../certs/upstreamlocalhostcert_hash.h        |  4 +-
 .../proxy_filter_integration_test.cc          | 31 ++++++-
 test/mocks/upstream/cluster_info.cc           |  1 +
 test/mocks/upstream/cluster_info.h            |  1 +
 10 files changed, 221 insertions(+), 86 deletions(-)
 create mode 100644 test/common/upstream/logical_host_test.cc

diff --git a/source/common/upstream/logical_host.h b/source/common/upstream/logical_host.h
index d22a415a2fcf4..760c237e8ec53 100644
--- a/source/common/upstream/logical_host.h
+++ b/source/common/upstream/logical_host.h
@@ -100,5 +100,97 @@ class RealHostDescription : public HostDescription {
   const HostConstSharedPtr logical_host_;
 };
 
+/**
+ * fixfix
+ */
+class ClusterInfoWrapper : public Upstream::ClusterInfo {
+public:
+  ClusterInfoWrapper(const Upstream::ClusterInfoConstSharedPtr& real_cluster_info)
+      : real_cluster_info_(real_cluster_info) {}
+
+  // Upstream::ClusterInfo
+  bool addedViaApi() const override { return real_cluster_info_->addedViaApi(); }
+  std::chrono::milliseconds connectTimeout() const override {
+    return real_cluster_info_->connectTimeout();
+  }
+  const absl::optional<std::chrono::milliseconds> idleTimeout() const override {
+    return real_cluster_info_->idleTimeout();
+  }
+  uint32_t perConnectionBufferLimitBytes() const override {
+    return real_cluster_info_->perConnectionBufferLimitBytes();
+  }
+  uint64_t features() const override { return real_cluster_info_->features(); }
+  const Http::Http2Settings& http2Settings() const override {
+    return real_cluster_info_->http2Settings();
+  }
+  const envoy::api::v2::Cluster::CommonLbConfig& lbConfig() const override {
+    return real_cluster_info_->lbConfig();
+  }
+  Upstream::LoadBalancerType lbType() const override { return real_cluster_info_->lbType(); }
+  envoy::api::v2::Cluster::DiscoveryType type() const override {
+    return real_cluster_info_->type();
+  }
+  const absl::optional<envoy::api::v2::Cluster::CustomClusterType>& clusterType() const override {
+    return real_cluster_info_->clusterType();
+  }
+  const absl::optional<envoy::api::v2::Cluster::LeastRequestLbConfig>&
+  lbLeastRequestConfig() const override {
+    return real_cluster_info_->lbLeastRequestConfig();
+  }
+  const absl::optional<envoy::api::v2::Cluster::RingHashLbConfig>&
+  lbRingHashConfig() const override {
+    return real_cluster_info_->lbRingHashConfig();
+  }
+  const absl::optional<envoy::api::v2::Cluster::OriginalDstLbConfig>&
+  lbOriginalDstConfig() const override {
+    return real_cluster_info_->lbOriginalDstConfig();
+  }
+  bool maintenanceMode() const override { return real_cluster_info_->maintenanceMode(); }
+  uint64_t maxRequestsPerConnection() const override {
+    return real_cluster_info_->maxRequestsPerConnection();
+  }
+  const std::string& name() const override { return real_cluster_info_->name(); }
+  Upstream::ResourceManager& resourceManager(Upstream::ResourcePriority priority) const override {
+    return real_cluster_info_->resourceManager(priority);
+  }
+  Network::TransportSocketFactory& transportSocketFactory() const override {
+    return real_cluster_info_->transportSocketFactory();
+  }
+  Upstream::ClusterStats& stats() const override { return real_cluster_info_->stats(); }
+  Stats::Scope& statsScope() const override { return real_cluster_info_->statsScope(); }
+  Upstream::ClusterLoadReportStats& loadReportStats() const override {
+    return real_cluster_info_->loadReportStats();
+  }
+  const Network::Address::InstanceConstSharedPtr& sourceAddress() const override {
+    return real_cluster_info_->sourceAddress();
+  }
+  const Upstream::LoadBalancerSubsetInfo& lbSubsetInfo() const override {
+    return real_cluster_info_->lbSubsetInfo();
+  }
+  const envoy::api::v2::core::Metadata& metadata() const override {
+    return real_cluster_info_->metadata();
+  }
+  const Envoy::Config::TypedMetadata& typedMetadata() const override {
+    return real_cluster_info_->typedMetadata();
+  }
+  const Network::ConnectionSocket::OptionsSharedPtr& clusterSocketOptions() const override {
+    return real_cluster_info_->clusterSocketOptions();
+  }
+  bool drainConnectionsOnHostRemoval() const override {
+    return real_cluster_info_->drainConnectionsOnHostRemoval();
+  }
+  bool warmHosts() const override { return real_cluster_info_->warmHosts(); }
+  absl::optional<std::string> eds_service_name() const override {
+    return real_cluster_info_->eds_service_name();
+  }
+  Upstream::ProtocolOptionsConfigConstSharedPtr
+  extensionProtocolOptions(const std::string& name) const override {
+    return real_cluster_info_->extensionProtocolOptions(name);
+  }
+
+private:
+  const Upstream::ClusterInfoConstSharedPtr real_cluster_info_;
+};
+
 } // namespace Upstream
 } // namespace Envoy
diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc
index 92560b50f7b59..988083e2e46ae 100644
--- a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc
+++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc
@@ -7,95 +7,19 @@ namespace Extensions {
 namespace Clusters {
 namespace DynamicForwardProxy {
 
-class ClusterInfoWithOverridenTls : public Upstream::ClusterInfo {
+class ClusterInfoWithOverridenTls : public Upstream::ClusterInfoWrapper {
 public:
   ClusterInfoWithOverridenTls(const Upstream::ClusterInfoConstSharedPtr& real_cluster_info,
                               Network::TransportSocketFactoryPtr&& transport_socket_factory)
-      : real_cluster_info_(real_cluster_info),
+      : ClusterInfoWrapper(real_cluster_info),
         transport_socket_factory_(std::move(transport_socket_factory)) {}
 
   // Upstream::ClusterInfo
-  bool addedViaApi() const override { return real_cluster_info_->addedViaApi(); }
-  std::chrono::milliseconds connectTimeout() const override {
-    return real_cluster_info_->connectTimeout();
-  }
-  const absl::optional<std::chrono::milliseconds> idleTimeout() const override {
-    return real_cluster_info_->idleTimeout();
-  }
-  uint32_t perConnectionBufferLimitBytes() const override {
-    return real_cluster_info_->perConnectionBufferLimitBytes();
-  }
-  uint64_t features() const override { return real_cluster_info_->features(); }
-  const Http::Http2Settings& http2Settings() const override {
-    return real_cluster_info_->http2Settings();
-  }
-  const envoy::api::v2::Cluster::CommonLbConfig& lbConfig() const override {
-    return real_cluster_info_->lbConfig();
-  }
-  Upstream::LoadBalancerType lbType() const override { return real_cluster_info_->lbType(); }
-  envoy::api::v2::Cluster::DiscoveryType type() const override {
-    return real_cluster_info_->type();
-  }
-  const absl::optional<envoy::api::v2::Cluster::CustomClusterType>& clusterType() const override {
-    return real_cluster_info_->clusterType();
-  }
-  const absl::optional<envoy::api::v2::Cluster::LeastRequestLbConfig>&
-  lbLeastRequestConfig() const override {
-    return real_cluster_info_->lbLeastRequestConfig();
-  }
-  const absl::optional<envoy::api::v2::Cluster::RingHashLbConfig>&
-  lbRingHashConfig() const override {
-    return real_cluster_info_->lbRingHashConfig();
-  }
-  const absl::optional<envoy::api::v2::Cluster::OriginalDstLbConfig>&
-  lbOriginalDstConfig() const override {
-    return real_cluster_info_->lbOriginalDstConfig();
-  }
-  bool maintenanceMode() const override { return real_cluster_info_->maintenanceMode(); }
-  uint64_t maxRequestsPerConnection() const override {
-    return real_cluster_info_->maxRequestsPerConnection();
-  }
-  const std::string& name() const override { return real_cluster_info_->name(); }
-  Upstream::ResourceManager& resourceManager(Upstream::ResourcePriority priority) const override {
-    return real_cluster_info_->resourceManager(priority);
-  }
   Network::TransportSocketFactory& transportSocketFactory() const override {
     return *transport_socket_factory_;
   }
-  Upstream::ClusterStats& stats() const override { return real_cluster_info_->stats(); }
-  Stats::Scope& statsScope() const override { return real_cluster_info_->statsScope(); }
-  Upstream::ClusterLoadReportStats& loadReportStats() const override {
-    return real_cluster_info_->loadReportStats();
-  }
-  const Network::Address::InstanceConstSharedPtr& sourceAddress() const override {
-    return real_cluster_info_->sourceAddress();
-  }
-  const Upstream::LoadBalancerSubsetInfo& lbSubsetInfo() const override {
-    return real_cluster_info_->lbSubsetInfo();
-  }
-  const envoy::api::v2::core::Metadata& metadata() const override {
-    return real_cluster_info_->metadata();
-  }
-  const Envoy::Config::TypedMetadata& typedMetadata() const override {
-    return real_cluster_info_->typedMetadata();
-  }
-  const Network::ConnectionSocket::OptionsSharedPtr& clusterSocketOptions() const override {
-    return real_cluster_info_->clusterSocketOptions();
-  }
-  bool drainConnectionsOnHostRemoval() const override {
-    return real_cluster_info_->drainConnectionsOnHostRemoval();
-  }
-  bool warmHosts() const override { return real_cluster_info_->warmHosts(); }
-  absl::optional<std::string> eds_service_name() const override {
-    return real_cluster_info_->eds_service_name();
-  }
-  Upstream::ProtocolOptionsConfigConstSharedPtr
-  extensionProtocolOptions(const std::string& name) const override {
-    return real_cluster_info_->extensionProtocolOptions(name);
-  }
 
 private:
-  const Upstream::ClusterInfoConstSharedPtr real_cluster_info_;
   const Network::TransportSocketFactoryPtr transport_socket_factory_;
 };
 
@@ -183,8 +107,7 @@ void Cluster::onDnsHostAddOrUpdate(
     // SAN verification for the resolved host if the cluster has been configured with TLS.
     // TODO(mattklein123): The fact that we are copying the cluster config, etc. is not very clean.
     //                     consider streamlining this in the future.
-    // TODO(mattklein123): If the host is an IP address should we be setting SNI? IP addresses in
-    //                     hosts needs to be revisited so this can be handled in a follow up.
+    // TODO(mattklein123): If the host is an IP address we should not set SNI.
     envoy::api::v2::Cluster override_cluster = cluster_config_;
     override_cluster.mutable_tls_context()->set_sni(host_info->resolvedHost());
     override_cluster.mutable_tls_context()
diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD
index 7bbf8314c71e6..a9aa938dbb332 100644
--- a/test/common/upstream/BUILD
+++ b/test/common/upstream/BUILD
@@ -300,6 +300,15 @@ envoy_cc_test(
     ],
 )
 
+envoy_cc_test(
+    name = "logical_host_test",
+    srcs = ["logical_host_test.cc"],
+    deps = [
+        "//source/common/upstream:logical_host_lib",
+        "//test/mocks/upstream:cluster_info_mocks",
+    ],
+)
+
 envoy_cc_test(
     name = "ring_hash_lb_test",
     srcs = ["ring_hash_lb_test.cc"],
diff --git a/test/common/upstream/logical_host_test.cc b/test/common/upstream/logical_host_test.cc
new file mode 100644
index 0000000000000..17b2fc4d91ca2
--- /dev/null
+++ b/test/common/upstream/logical_host_test.cc
@@ -0,0 +1,79 @@
+#include "common/upstream/logical_host.h"
+
+#include "test/mocks/upstream/cluster_info.h"
+
+using testing::InSequence;
+
+namespace Envoy {
+namespace Upstream {
+
+TEST(ClusterInfoWrapperTest, PassThrough) {
+  InSequence s;
+
+  auto cluster_info = std::make_shared<MockClusterInfo>();
+  ClusterInfoWrapper wrapper(cluster_info);
+
+  EXPECT_CALL(*cluster_info, addedViaApi());
+  wrapper.addedViaApi();
+  EXPECT_CALL(*cluster_info, connectTimeout());
+  wrapper.connectTimeout();
+  EXPECT_CALL(*cluster_info, idleTimeout());
+  wrapper.idleTimeout();
+  EXPECT_CALL(*cluster_info, perConnectionBufferLimitBytes());
+  wrapper.perConnectionBufferLimitBytes();
+  EXPECT_CALL(*cluster_info, features());
+  wrapper.features();
+  EXPECT_CALL(*cluster_info, http2Settings());
+  wrapper.http2Settings();
+  EXPECT_CALL(*cluster_info, lbConfig());
+  wrapper.lbConfig();
+  EXPECT_CALL(*cluster_info, lbType());
+  wrapper.lbType();
+  EXPECT_CALL(*cluster_info, type());
+  wrapper.type();
+  EXPECT_CALL(*cluster_info, clusterType());
+  wrapper.clusterType();
+  EXPECT_CALL(*cluster_info, lbLeastRequestConfig());
+  wrapper.lbLeastRequestConfig();
+  EXPECT_CALL(*cluster_info, lbRingHashConfig());
+  wrapper.lbRingHashConfig();
+  EXPECT_CALL(*cluster_info, lbOriginalDstConfig());
+  wrapper.lbOriginalDstConfig();
+  EXPECT_CALL(*cluster_info, maintenanceMode());
+  wrapper.maintenanceMode();
+  EXPECT_CALL(*cluster_info, maxRequestsPerConnection());
+  wrapper.maxRequestsPerConnection();
+  EXPECT_CALL(*cluster_info, name());
+  wrapper.name();
+  EXPECT_CALL(*cluster_info, resourceManager(ResourcePriority::High));
+  wrapper.resourceManager(ResourcePriority::High);
+  EXPECT_CALL(*cluster_info, transportSocketFactory());
+  wrapper.transportSocketFactory();
+  EXPECT_CALL(*cluster_info, stats());
+  wrapper.stats();
+  EXPECT_CALL(*cluster_info, statsScope());
+  wrapper.statsScope();
+  EXPECT_CALL(*cluster_info, loadReportStats());
+  wrapper.loadReportStats();
+  EXPECT_CALL(*cluster_info, sourceAddress());
+  wrapper.sourceAddress();
+  EXPECT_CALL(*cluster_info, lbSubsetInfo());
+  wrapper.lbSubsetInfo();
+  EXPECT_CALL(*cluster_info, metadata());
+  wrapper.metadata();
+  EXPECT_CALL(*cluster_info, typedMetadata());
+  wrapper.typedMetadata();
+  EXPECT_CALL(*cluster_info, clusterSocketOptions());
+  wrapper.clusterSocketOptions();
+  EXPECT_CALL(*cluster_info, drainConnectionsOnHostRemoval());
+  wrapper.drainConnectionsOnHostRemoval();
+  EXPECT_CALL(*cluster_info, warmHosts());
+  wrapper.warmHosts();
+  EXPECT_CALL(*cluster_info, eds_service_name());
+  wrapper.eds_service_name();
+  EXPECT_CALL(*cluster_info, extensionProtocolOptions("foo"));
+  wrapper.extensionProtocolOptions("foo");
+}
+
+} // namespace Upstream
+} // namespace Envoy
diff --git a/test/config/integration/certs/README.md b/test/config/integration/certs/README.md
index 78eb2a677c2d7..2f6dfabaff116 100644
--- a/test/config/integration/certs/README.md
+++ b/test/config/integration/certs/README.md
@@ -11,6 +11,10 @@ There are 5 identities:
 - **Upstream**: It has the certificate *upstreamcert.pem*, which is signed by
   the **Upstream CA** using the config *upstreamcert.cfg*. *upstreamkey.pem* is
   its private key.
+- **Upstream localhost**: It has the certificate *upstreamlocalhostcert.pem*, which is signed by
+  the **Upstream CA** using the config *upstreamlocalhostcert.cfg*. *upstreamlocalhostkey.pem* is
+  its private key. The different between this certificate and **Upstream** is that this certifcate
+  has a SAN for "localhost".
 
 # How to update certificates
 **certs.sh** has the commands to generate all files. Running certs.sh directly
diff --git a/test/config/integration/certs/upstreamcert_hash.h b/test/config/integration/certs/upstreamcert_hash.h
index 8513c994d7579..4342078b93804 100644
--- a/test/config/integration/certs/upstreamcert_hash.h
+++ b/test/config/integration/certs/upstreamcert_hash.h
@@ -1,2 +1,3 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_UPSTREAM_CERT_HASH[] = "57:0E:EF:74:60:9C:8E:3D:AA:EA:3F:3E:02:69:89:40:E6:00:AD:CA:86:69:73:BA:9E:0B:01:A2:E2:F3:75:7F";
+constexpr char TEST_UPSTREAM_CERT_HASH[] = "57:0E:EF:74:60:9C:8E:3D:AA:EA:3F:3E:02:69:89:40:E6:00:"
+                                           "AD:CA:86:69:73:BA:9E:0B:01:A2:E2:F3:75:7F";
diff --git a/test/config/integration/certs/upstreamlocalhostcert_hash.h b/test/config/integration/certs/upstreamlocalhostcert_hash.h
index fdd5cb3b72211..409ad0af1cd36 100644
--- a/test/config/integration/certs/upstreamlocalhostcert_hash.h
+++ b/test/config/integration/certs/upstreamlocalhostcert_hash.h
@@ -1,2 +1,4 @@
 // NOLINT(namespace-envoy)
-constexpr char TEST_UPSTREAMLOCALHOST_CERT_HASH[] = "5B:5C:02:47:DE:17:B7:1B:98:05:0A:DB:41:2C:F6:8F:65:E3:86:E6:03:B3:9A:EC:67:33:2E:39:1F:05:88:B0";
+constexpr char TEST_UPSTREAMLOCALHOST_CERT_HASH[] =
+    "5B:5C:02:47:DE:17:B7:1B:98:05:0A:DB:41:2C:F6:8F:65:E3:86:E6:03:B3:9A:EC:67:33:2E:39:1F:05:88:"
+    "B0";
diff --git a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc
index fc25adf69ec92..b2750046922b6 100644
--- a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc
+++ b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc
@@ -84,10 +84,10 @@ name: envoy.clusters.dynamic_forward_proxy
     envoy::api::v2::auth::DownstreamTlsContext tls_context;
     auto* common_tls_context = tls_context.mutable_common_tls_context();
     auto* tls_cert = common_tls_context->add_tls_certificates();
-    tls_cert->mutable_certificate_chain()->set_filename(
-        TestEnvironment::runfilesPath("test/config/integration/certs/upstreamcert.pem"));
-    tls_cert->mutable_private_key()->set_filename(
-        TestEnvironment::runfilesPath("test/config/integration/certs/upstreamkey.pem"));
+    tls_cert->mutable_certificate_chain()->set_filename(TestEnvironment::runfilesPath(
+        fmt::format("test/config/integration/certs/{}cert.pem", upstream_cert_name_)));
+    tls_cert->mutable_private_key()->set_filename(TestEnvironment::runfilesPath(
+        fmt::format("test/config/integration/certs/{}key.pem", upstream_cert_name_)));
 
     auto cfg = std::make_unique<Extensions::TransportSockets::Tls::ServerContextConfigImpl>(
         tls_context, factory_context_);
@@ -98,6 +98,7 @@ name: envoy.clusters.dynamic_forward_proxy
   }
 
   bool upstream_tls_{};
+  std::string upstream_cert_name_{"upstreamlocalhost"};
 };
 
 INSTANTIATE_TEST_SUITE_P(IpVersions, ProxyFilterIntegrationTest,
@@ -208,5 +209,27 @@ TEST_P(ProxyFilterIntegrationTest, UpstreamTls) {
   checkSimpleRequestSuccess(0, 0, response.get());
 }
 
+// Verify that auto-SAN verification fails with an incorrect certificate.
+TEST_P(ProxyFilterIntegrationTest, UpstreamTlsInvalidSAN) {
+  upstream_tls_ = true;
+  upstream_cert_name_ = "upstream";
+  setup();
+  fake_upstreams_[0]->set_allow_unexpected_disconnects(true);
+
+  codec_client_ = makeHttpConnection(lookupPort("http"));
+  const Http::TestHeaderMapImpl request_headers{
+      {":method", "POST"},
+      {":path", "/test/long/url"},
+      {":scheme", "http"},
+      {":authority",
+       fmt::format("localhost:{}", fake_upstreams_[0]->localAddress()->ip()->port())}};
+
+  auto response = codec_client_->makeHeaderOnlyRequest(request_headers);
+  response->waitForEndStream();
+  EXPECT_EQ("503", response->headers().Status()->value().getStringView());
+
+  EXPECT_EQ(1, test_server_->counter("cluster.cluster_0.ssl.fail_verify_san")->value());
+}
+
 } // namespace
 } // namespace Envoy
diff --git a/test/mocks/upstream/cluster_info.cc b/test/mocks/upstream/cluster_info.cc
index d34c8fa20fe16..9bf6d3e98d671 100644
--- a/test/mocks/upstream/cluster_info.cc
+++ b/test/mocks/upstream/cluster_info.cc
@@ -66,6 +66,7 @@ MockClusterInfo::MockClusterInfo()
   ON_CALL(*this, sourceAddress()).WillByDefault(ReturnRef(source_address_));
   ON_CALL(*this, lbSubsetInfo()).WillByDefault(ReturnRef(lb_subset_));
   ON_CALL(*this, lbRingHashConfig()).WillByDefault(ReturnRef(lb_ring_hash_config_));
+  ON_CALL(*this, lbLeastRequestConfig()).WillByDefault(ReturnRef(lb_least_request_config_));
   ON_CALL(*this, lbOriginalDstConfig()).WillByDefault(ReturnRef(lb_original_dst_config_));
   ON_CALL(*this, lbConfig()).WillByDefault(ReturnRef(lb_config_));
   ON_CALL(*this, clusterSocketOptions()).WillByDefault(ReturnRef(cluster_socket_options_));
diff --git a/test/mocks/upstream/cluster_info.h b/test/mocks/upstream/cluster_info.h
index 46b318c3f36d3..9342b79fcdbdd 100644
--- a/test/mocks/upstream/cluster_info.h
+++ b/test/mocks/upstream/cluster_info.h
@@ -125,6 +125,7 @@ class MockClusterInfo : public ClusterInfo {
   absl::optional<envoy::api::v2::Cluster::CustomClusterType> cluster_type_;
   NiceMock<MockLoadBalancerSubsetInfo> lb_subset_;
   absl::optional<envoy::api::v2::Cluster::RingHashLbConfig> lb_ring_hash_config_;
+  absl::optional<envoy::api::v2::Cluster::LeastRequestLbConfig> lb_least_request_config_;
   absl::optional<envoy::api::v2::Cluster::OriginalDstLbConfig> lb_original_dst_config_;
   Network::ConnectionSocket::OptionsSharedPtr cluster_socket_options_;
   envoy::api::v2::Cluster::CommonLbConfig lb_config_;

From 840b38b738dfccd6ead7b355bbb3b0febe49a50e Mon Sep 17 00:00:00 2001
From: Matt Klein <mklein@lyft.com>
Date: Tue, 9 Jul 2019 13:01:59 -0700
Subject: [PATCH 4/5] fix

Signed-off-by: Matt Klein <mklein@lyft.com>
---
 source/common/upstream/logical_host.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source/common/upstream/logical_host.h b/source/common/upstream/logical_host.h
index 760c237e8ec53..48efa0f66d063 100644
--- a/source/common/upstream/logical_host.h
+++ b/source/common/upstream/logical_host.h
@@ -101,7 +101,8 @@ class RealHostDescription : public HostDescription {
 };
 
 /**
- * fixfix
+ * Pass-through wrapper for cluster info. Derived classes can you use this class as a base if they
+ * need to override individual methods.
  */
 class ClusterInfoWrapper : public Upstream::ClusterInfo {
 public:

From 0940edd372c41a1acbd634747ab02b4bc677e9b4 Mon Sep 17 00:00:00 2001
From: Matt Klein <mklein@lyft.com>
Date: Fri, 12 Jul 2019 10:26:02 -0700
Subject: [PATCH 5/5] comments

Signed-off-by: Matt Klein <mklein@lyft.com>
---
 include/envoy/network/transport_socket.h      |   9 +-
 include/envoy/upstream/upstream.h             |   1 +
 .../network/transport_socket_options_impl.h   |  10 +-
 source/common/upstream/logical_dns_cluster.cc |   4 +-
 source/common/upstream/logical_host.cc        |   4 +-
 source/common/upstream/logical_host.h         | 100 +-----------------
 .../clusters/dynamic_forward_proxy/BUILD      |   1 +
 .../clusters/dynamic_forward_proxy/cluster.cc |  67 +++---------
 .../clusters/dynamic_forward_proxy/cluster.h  |   5 -
 .../transport_sockets/tls/context_impl.cc     |  30 ++++--
 .../transport_sockets/tls/context_impl.h      |   7 +-
 .../transport_sockets/tls/ssl_socket.cc       |   9 +-
 .../transport_sockets/tls/ssl_socket.h        |   3 +-
 test/common/upstream/BUILD                    |   9 --
 test/common/upstream/logical_host_test.cc     |  79 --------------
 .../dynamic_forward_proxy/cluster_test.cc     |   1 +
 .../common/dynamic_forward_proxy/mocks.cc     |   2 +
 .../common/dynamic_forward_proxy/mocks.h      |   1 +
 test/mocks/upstream/cluster_info.cc           |   1 -
 test/mocks/upstream/cluster_info.h            |   1 -
 20 files changed, 78 insertions(+), 266 deletions(-)
 delete mode 100644 test/common/upstream/logical_host_test.cc

diff --git a/include/envoy/network/transport_socket.h b/include/envoy/network/transport_socket.h
index dab4a2054c314..1167f46e19d3f 100644
--- a/include/envoy/network/transport_socket.h
+++ b/include/envoy/network/transport_socket.h
@@ -165,6 +165,12 @@ class TransportSocketOptions {
    */
   virtual const absl::optional<std::string>& serverNameOverride() const PURE;
 
+  /**
+   * @return the optional overridden SAN names to verify, if the transport socket supports SAN
+   *         verification.
+   */
+  virtual const std::vector<std::string>& verifySubjectAltNameListOverride() const PURE;
+
   /**
    * @param vector of bytes to which the option should append hash key data that will be used
    *        to separate connections based on the option. Any data already in the key vector must
@@ -173,7 +179,8 @@ class TransportSocketOptions {
   virtual void hashKey(std::vector<uint8_t>& key) const PURE;
 };
 
-using TransportSocketOptionsSharedPtr = std::shared_ptr<TransportSocketOptions>;
+// TODO(mattklein123): Rename to TransportSocketOptionsConstSharedPtr in a dedicated follow up.
+using TransportSocketOptionsSharedPtr = std::shared_ptr<const TransportSocketOptions>;
 
 /**
  * A factory for creating transport socket. It will be associated to filter chains and clusters.
diff --git a/include/envoy/upstream/upstream.h b/include/envoy/upstream/upstream.h
index 79bb3c063f02d..567466c18ebc8 100644
--- a/include/envoy/upstream/upstream.h
+++ b/include/envoy/upstream/upstream.h
@@ -843,6 +843,7 @@ class ClusterInfo {
    */
   virtual absl::optional<std::string> eds_service_name() const PURE;
 
+protected:
   /**
    * Invoked by extensionProtocolOptionsTyped.
    * @param name std::string containing the well-known name of the extension for which protocol
diff --git a/source/common/network/transport_socket_options_impl.h b/source/common/network/transport_socket_options_impl.h
index ba544a67d7656..0010a46d763a8 100644
--- a/source/common/network/transport_socket_options_impl.h
+++ b/source/common/network/transport_socket_options_impl.h
@@ -7,19 +7,25 @@ namespace Network {
 
 class TransportSocketOptionsImpl : public TransportSocketOptions {
 public:
-  TransportSocketOptionsImpl(absl::string_view override_server_name = "")
+  TransportSocketOptionsImpl(absl::string_view override_server_name = "",
+                             std::vector<std::string>&& override_verify_san_list = {})
       : override_server_name_(override_server_name.empty()
                                   ? absl::nullopt
-                                  : absl::optional<std::string>(override_server_name)) {}
+                                  : absl::optional<std::string>(override_server_name)),
+        override_verify_san_list_{std::move(override_verify_san_list)} {}
 
   // Network::TransportSocketOptions
   const absl::optional<std::string>& serverNameOverride() const override {
     return override_server_name_;
   }
+  const std::vector<std::string>& verifySubjectAltNameListOverride() const override {
+    return override_verify_san_list_;
+  }
   void hashKey(std::vector<uint8_t>& key) const override;
 
 private:
   const absl::optional<std::string> override_server_name_;
+  const std::vector<std::string> override_verify_san_list_;
 };
 
 } // namespace Network
diff --git a/source/common/upstream/logical_dns_cluster.cc b/source/common/upstream/logical_dns_cluster.cc
index 88ce5e02da5bc..06c1e415b845c 100644
--- a/source/common/upstream/logical_dns_cluster.cc
+++ b/source/common/upstream/logical_dns_cluster.cc
@@ -89,8 +89,8 @@ void LogicalDnsCluster::startResolve() {
           }
 
           if (!logical_host_) {
-            logical_host_.reset(
-                new LogicalHost(info_, hostname_, new_address, localityLbEndpoint(), lbEndpoint()));
+            logical_host_.reset(new LogicalHost(info_, hostname_, new_address, localityLbEndpoint(),
+                                                lbEndpoint(), nullptr));
 
             const auto& locality_lb_endpoint = localityLbEndpoint();
             PriorityStateManager priority_state_manager(*this, local_info_, nullptr);
diff --git a/source/common/upstream/logical_host.cc b/source/common/upstream/logical_host.cc
index a6c9c20ede4ce..a196e8fbd2344 100644
--- a/source/common/upstream/logical_host.cc
+++ b/source/common/upstream/logical_host.cc
@@ -8,7 +8,9 @@ Upstream::Host::CreateConnectionData LogicalHost::createConnection(
     Network::TransportSocketOptionsSharedPtr transport_socket_options) const {
   const auto current_address = address();
   return {HostImpl::createConnection(dispatcher, cluster(), current_address, options,
-                                     transport_socket_options),
+                                     override_transport_socket_options_ != nullptr
+                                         ? override_transport_socket_options_
+                                         : transport_socket_options),
           std::make_shared<RealHostDescription>(current_address, shared_from_this())};
 }
 
diff --git a/source/common/upstream/logical_host.h b/source/common/upstream/logical_host.h
index 48efa0f66d063..a1ed7eee2f9e4 100644
--- a/source/common/upstream/logical_host.h
+++ b/source/common/upstream/logical_host.h
@@ -14,11 +14,13 @@ class LogicalHost : public HostImpl {
   LogicalHost(const ClusterInfoConstSharedPtr& cluster, const std::string& hostname,
               const Network::Address::InstanceConstSharedPtr& address,
               const envoy::api::v2::endpoint::LocalityLbEndpoints& locality_lb_endpoint,
-              const envoy::api::v2::endpoint::LbEndpoint& lb_endpoint)
+              const envoy::api::v2::endpoint::LbEndpoint& lb_endpoint,
+              const Network::TransportSocketOptionsSharedPtr& override_transport_socket_options)
       : HostImpl(cluster, hostname, address, lb_endpoint.metadata(),
                  lb_endpoint.load_balancing_weight().value(), locality_lb_endpoint.locality(),
                  lb_endpoint.endpoint().health_check_config(), locality_lb_endpoint.priority(),
-                 lb_endpoint.health_status()) {}
+                 lb_endpoint.health_status()),
+        override_transport_socket_options_(override_transport_socket_options) {}
 
   // Set the new address. Updates are typically rare so a R/W lock is used for address updates.
   // Note that the health check address update requires no lock to be held since it is only
@@ -51,6 +53,7 @@ class LogicalHost : public HostImpl {
   }
 
 private:
+  const Network::TransportSocketOptionsSharedPtr override_transport_socket_options_;
   mutable absl::Mutex address_lock_;
 };
 
@@ -100,98 +103,5 @@ class RealHostDescription : public HostDescription {
   const HostConstSharedPtr logical_host_;
 };
 
-/**
- * Pass-through wrapper for cluster info. Derived classes can you use this class as a base if they
- * need to override individual methods.
- */
-class ClusterInfoWrapper : public Upstream::ClusterInfo {
-public:
-  ClusterInfoWrapper(const Upstream::ClusterInfoConstSharedPtr& real_cluster_info)
-      : real_cluster_info_(real_cluster_info) {}
-
-  // Upstream::ClusterInfo
-  bool addedViaApi() const override { return real_cluster_info_->addedViaApi(); }
-  std::chrono::milliseconds connectTimeout() const override {
-    return real_cluster_info_->connectTimeout();
-  }
-  const absl::optional<std::chrono::milliseconds> idleTimeout() const override {
-    return real_cluster_info_->idleTimeout();
-  }
-  uint32_t perConnectionBufferLimitBytes() const override {
-    return real_cluster_info_->perConnectionBufferLimitBytes();
-  }
-  uint64_t features() const override { return real_cluster_info_->features(); }
-  const Http::Http2Settings& http2Settings() const override {
-    return real_cluster_info_->http2Settings();
-  }
-  const envoy::api::v2::Cluster::CommonLbConfig& lbConfig() const override {
-    return real_cluster_info_->lbConfig();
-  }
-  Upstream::LoadBalancerType lbType() const override { return real_cluster_info_->lbType(); }
-  envoy::api::v2::Cluster::DiscoveryType type() const override {
-    return real_cluster_info_->type();
-  }
-  const absl::optional<envoy::api::v2::Cluster::CustomClusterType>& clusterType() const override {
-    return real_cluster_info_->clusterType();
-  }
-  const absl::optional<envoy::api::v2::Cluster::LeastRequestLbConfig>&
-  lbLeastRequestConfig() const override {
-    return real_cluster_info_->lbLeastRequestConfig();
-  }
-  const absl::optional<envoy::api::v2::Cluster::RingHashLbConfig>&
-  lbRingHashConfig() const override {
-    return real_cluster_info_->lbRingHashConfig();
-  }
-  const absl::optional<envoy::api::v2::Cluster::OriginalDstLbConfig>&
-  lbOriginalDstConfig() const override {
-    return real_cluster_info_->lbOriginalDstConfig();
-  }
-  bool maintenanceMode() const override { return real_cluster_info_->maintenanceMode(); }
-  uint64_t maxRequestsPerConnection() const override {
-    return real_cluster_info_->maxRequestsPerConnection();
-  }
-  const std::string& name() const override { return real_cluster_info_->name(); }
-  Upstream::ResourceManager& resourceManager(Upstream::ResourcePriority priority) const override {
-    return real_cluster_info_->resourceManager(priority);
-  }
-  Network::TransportSocketFactory& transportSocketFactory() const override {
-    return real_cluster_info_->transportSocketFactory();
-  }
-  Upstream::ClusterStats& stats() const override { return real_cluster_info_->stats(); }
-  Stats::Scope& statsScope() const override { return real_cluster_info_->statsScope(); }
-  Upstream::ClusterLoadReportStats& loadReportStats() const override {
-    return real_cluster_info_->loadReportStats();
-  }
-  const Network::Address::InstanceConstSharedPtr& sourceAddress() const override {
-    return real_cluster_info_->sourceAddress();
-  }
-  const Upstream::LoadBalancerSubsetInfo& lbSubsetInfo() const override {
-    return real_cluster_info_->lbSubsetInfo();
-  }
-  const envoy::api::v2::core::Metadata& metadata() const override {
-    return real_cluster_info_->metadata();
-  }
-  const Envoy::Config::TypedMetadata& typedMetadata() const override {
-    return real_cluster_info_->typedMetadata();
-  }
-  const Network::ConnectionSocket::OptionsSharedPtr& clusterSocketOptions() const override {
-    return real_cluster_info_->clusterSocketOptions();
-  }
-  bool drainConnectionsOnHostRemoval() const override {
-    return real_cluster_info_->drainConnectionsOnHostRemoval();
-  }
-  bool warmHosts() const override { return real_cluster_info_->warmHosts(); }
-  absl::optional<std::string> eds_service_name() const override {
-    return real_cluster_info_->eds_service_name();
-  }
-  Upstream::ProtocolOptionsConfigConstSharedPtr
-  extensionProtocolOptions(const std::string& name) const override {
-    return real_cluster_info_->extensionProtocolOptions(name);
-  }
-
-private:
-  const Upstream::ClusterInfoConstSharedPtr real_cluster_info_;
-};
-
 } // namespace Upstream
 } // namespace Envoy
diff --git a/source/extensions/clusters/dynamic_forward_proxy/BUILD b/source/extensions/clusters/dynamic_forward_proxy/BUILD
index 861a2da0a10b4..51ba531f70b74 100644
--- a/source/extensions/clusters/dynamic_forward_proxy/BUILD
+++ b/source/extensions/clusters/dynamic_forward_proxy/BUILD
@@ -13,6 +13,7 @@ envoy_cc_library(
     srcs = ["cluster.cc"],
     hdrs = ["cluster.h"],
     deps = [
+        "//source/common/network:transport_socket_options_lib",
         "//source/common/upstream:cluster_factory_lib",
         "//source/common/upstream:logical_host_lib",
         "//source/extensions/clusters:well_known_names",
diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc
index 988083e2e46ae..37bfa8f6f5b5f 100644
--- a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc
+++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc
@@ -1,5 +1,7 @@
 #include "extensions/clusters/dynamic_forward_proxy/cluster.h"
 
+#include "common/network/transport_socket_options_impl.h"
+
 #include "extensions/common/dynamic_forward_proxy/dns_cache_manager_impl.h"
 
 namespace Envoy {
@@ -7,22 +9,6 @@ namespace Extensions {
 namespace Clusters {
 namespace DynamicForwardProxy {
 
-class ClusterInfoWithOverridenTls : public Upstream::ClusterInfoWrapper {
-public:
-  ClusterInfoWithOverridenTls(const Upstream::ClusterInfoConstSharedPtr& real_cluster_info,
-                              Network::TransportSocketFactoryPtr&& transport_socket_factory)
-      : ClusterInfoWrapper(real_cluster_info),
-        transport_socket_factory_(std::move(transport_socket_factory)) {}
-
-  // Upstream::ClusterInfo
-  Network::TransportSocketFactory& transportSocketFactory() const override {
-    return *transport_socket_factory_;
-  }
-
-private:
-  const Network::TransportSocketFactoryPtr transport_socket_factory_;
-};
-
 Cluster::Cluster(
     const envoy::api::v2::Cluster& cluster,
     const envoy::config::cluster::dynamic_forward_proxy::v2alpha::ClusterConfig& config,
@@ -33,15 +19,9 @@ Cluster::Cluster(
     Stats::ScopePtr&& stats_scope, bool added_via_api)
     : Upstream::BaseDynamicClusterImpl(cluster, runtime, factory_context, std::move(stats_scope),
                                        added_via_api),
-      cluster_config_(cluster), dns_cache_manager_(cache_manager_factory.get()),
+      dns_cache_manager_(cache_manager_factory.get()),
       dns_cache_(dns_cache_manager_->getCache(config.dns_cache_config())),
       update_callbacks_handle_(dns_cache_->addUpdateCallbacks(*this)), local_info_(local_info),
-      transport_factory_context_(factory_context.admin(), factory_context.sslContextManager(),
-                                 factory_context.statsScope(), factory_context.clusterManager(),
-                                 factory_context.localInfo(), factory_context.dispatcher(),
-                                 factory_context.random(), factory_context.stats(),
-                                 factory_context.singletonManager(), factory_context.threadLocal(),
-                                 factory_context.messageValidationVisitor(), factory_context.api()),
       host_map_(std::make_shared<HostInfoMap>()) {
   // TODO(mattklein123): Technically, we should support attaching to an already warmed DNS cache.
   //                     This will require adding a hosts() or similar API to the cache and
@@ -101,31 +81,20 @@ void Cluster::onDnsHostAddOrUpdate(
   }
 
   ENVOY_LOG(debug, "adding new dfproxy cluster host '{}'", host);
-  Upstream::ClusterInfoConstSharedPtr cluster_info_to_use;
-  if (createCustomTlsForHost()) {
-    // Create an override cluster configuration that automatically provides both SNI as well as
-    // SAN verification for the resolved host if the cluster has been configured with TLS.
-    // TODO(mattklein123): The fact that we are copying the cluster config, etc. is not very clean.
-    //                     consider streamlining this in the future.
-    // TODO(mattklein123): If the host is an IP address we should not set SNI.
-    envoy::api::v2::Cluster override_cluster = cluster_config_;
-    override_cluster.mutable_tls_context()->set_sni(host_info->resolvedHost());
-    override_cluster.mutable_tls_context()
-        ->mutable_common_tls_context()
-        ->mutable_validation_context()
-        ->add_verify_subject_alt_name(host_info->resolvedHost());
-    cluster_info_to_use = std::make_shared<ClusterInfoWithOverridenTls>(
-        info(),
-        Upstream::createTransportSocketFactory(override_cluster, transport_factory_context_));
-  } else {
-    cluster_info_to_use = info();
-  }
+
+  // Create an override transport socket options that automatically provides both SNI as well as
+  // SAN verification for the resolved host if the cluster has been configured with TLS.
+  // TODO(mattklein123): If the host is an IP address we should not set SNI.
+  Network::TransportSocketOptionsSharedPtr transport_socket_options =
+      std::make_shared<Network::TransportSocketOptionsImpl>(
+          host_info->resolvedHost(), std::vector<std::string>{host_info->resolvedHost()});
 
   const auto new_host_map = std::make_shared<HostInfoMap>(*current_map);
-  const auto emplaced = new_host_map->try_emplace(
-      host, host_info,
-      std::make_shared<Upstream::LogicalHost>(cluster_info_to_use, host, host_info->address(),
-                                              dummy_locality_lb_endpoint_, dummy_lb_endpoint_));
+  const auto emplaced =
+      new_host_map->try_emplace(host, host_info,
+                                std::make_shared<Upstream::LogicalHost>(
+                                    info(), host, host_info->address(), dummy_locality_lb_endpoint_,
+                                    dummy_lb_endpoint_, transport_socket_options));
   Upstream::HostVector hosts_added;
   hosts_added.emplace_back(emplaced.first->second.logical_host_);
 
@@ -134,12 +103,6 @@ void Cluster::onDnsHostAddOrUpdate(
   swapAndUpdateMap(new_host_map, hosts_added, {});
 }
 
-bool Cluster::createCustomTlsForHost() {
-  // TODO(mattklein123): Consider custom settings per host and/or global cluster config to turn this
-  // off.
-  return !cluster_config_.has_transport_socket() && cluster_config_.has_tls_context();
-}
-
 void Cluster::swapAndUpdateMap(const HostInfoMapSharedPtr& new_hosts_map,
                                const Upstream::HostVector& hosts_added,
                                const Upstream::HostVector& hosts_removed) {
diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.h b/source/extensions/clusters/dynamic_forward_proxy/cluster.h
index 76c78fe6ad4af..7635e91cb49b3 100644
--- a/source/extensions/clusters/dynamic_forward_proxy/cluster.h
+++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.h
@@ -6,8 +6,6 @@
 #include "common/upstream/cluster_factory_impl.h"
 #include "common/upstream/logical_host.h"
 
-#include "server/transport_socket_config_impl.h"
-
 #include "extensions/clusters/well_known_names.h"
 #include "extensions/common/dynamic_forward_proxy/dns_cache.h"
 
@@ -97,9 +95,7 @@ class Cluster : public Upstream::BaseDynamicClusterImpl,
   void swapAndUpdateMap(const HostInfoMapSharedPtr& new_hosts_map,
                         const Upstream::HostVector& hosts_added,
                         const Upstream::HostVector& hosts_removed);
-  bool createCustomTlsForHost();
 
-  const envoy::api::v2::Cluster cluster_config_;
   const Extensions::Common::DynamicForwardProxy::DnsCacheManagerSharedPtr dns_cache_manager_;
   const Extensions::Common::DynamicForwardProxy::DnsCacheSharedPtr dns_cache_;
   const Extensions::Common::DynamicForwardProxy::DnsCache::AddUpdateCallbacksHandlePtr
@@ -107,7 +103,6 @@ class Cluster : public Upstream::BaseDynamicClusterImpl,
   const envoy::api::v2::endpoint::LocalityLbEndpoints dummy_locality_lb_endpoint_;
   const envoy::api::v2::endpoint::LbEndpoint dummy_lb_endpoint_;
   const LocalInfo::LocalInfo& local_info_;
-  Server::Configuration::TransportSocketFactoryContextImpl transport_factory_context_;
 
   absl::Mutex host_map_lock_;
   HostInfoMapSharedPtr host_map_ ABSL_GUARDED_BY(host_map_lock_);
diff --git a/source/extensions/transport_sockets/tls/context_impl.cc b/source/extensions/transport_sockets/tls/context_impl.cc
index 11ffa4d5bb095..7ef9bd33051ce 100644
--- a/source/extensions/transport_sockets/tls/context_impl.cc
+++ b/source/extensions/transport_sockets/tls/context_impl.cc
@@ -387,7 +387,7 @@ std::vector<uint8_t> ContextImpl::parseAlpnProtocols(const std::string& alpn_pro
   return out;
 }
 
-bssl::UniquePtr<SSL> ContextImpl::newSsl(absl::optional<std::string>) {
+bssl::UniquePtr<SSL> ContextImpl::newSsl(const Network::TransportSocketOptions*) {
   // We use the first certificate for a new SSL object, later in the
   // SSL_CTX_set_select_certificate_cb() callback following ClientHello, we replace with the
   // selected certificate via SSL_set_SSL_CTX().
@@ -419,12 +419,18 @@ int ContextImpl::verifyCallback(X509_STORE_CTX* store_ctx, void* arg) {
   SSL* ssl = reinterpret_cast<SSL*>(
       X509_STORE_CTX_get_ex_data(store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
   bssl::UniquePtr<X509> cert(SSL_get_peer_certificate(ssl));
-  return impl->verifyCertificate(cert.get());
+
+  const Network::TransportSocketOptions* transport_socket_options =
+      static_cast<const Network::TransportSocketOptions*>(SSL_get_app_data(ssl));
+  return impl->verifyCertificate(
+      cert.get(), transport_socket_options &&
+                          !transport_socket_options->verifySubjectAltNameListOverride().empty()
+                      ? transport_socket_options->verifySubjectAltNameListOverride()
+                      : impl->verify_subject_alt_name_list_);
 }
 
-int ContextImpl::verifyCertificate(X509* cert) {
-  if (!verify_subject_alt_name_list_.empty() &&
-      !verifySubjectAltName(cert, verify_subject_alt_name_list_)) {
+int ContextImpl::verifyCertificate(X509* cert, const std::vector<std::string>& verify_san_list) {
+  if (!verify_san_list.empty() && !verifySubjectAltName(cert, verify_san_list)) {
     stats_.fail_verify_san_.inc();
     return 0;
   }
@@ -664,17 +670,23 @@ ClientContextImpl::ClientContextImpl(Stats::Scope& scope,
   }
 }
 
-bssl::UniquePtr<SSL> ClientContextImpl::newSsl(absl::optional<std::string> override_server_name) {
-  bssl::UniquePtr<SSL> ssl_con(ContextImpl::newSsl(absl::nullopt));
+bssl::UniquePtr<SSL> ClientContextImpl::newSsl(const Network::TransportSocketOptions* options) {
+  bssl::UniquePtr<SSL> ssl_con(ContextImpl::newSsl(options));
 
-  std::string server_name_indication =
-      override_server_name.has_value() ? override_server_name.value() : server_name_indication_;
+  const std::string server_name_indication = options && options->serverNameOverride().has_value()
+                                                 ? options->serverNameOverride().value()
+                                                 : server_name_indication_;
 
   if (!server_name_indication.empty()) {
     int rc = SSL_set_tlsext_host_name(ssl_con.get(), server_name_indication.c_str());
     RELEASE_ASSERT(rc, "");
   }
 
+  if (options && !options->verifySubjectAltNameListOverride().empty()) {
+    SSL_set_app_data(ssl_con.get(), options);
+    SSL_set_verify(ssl_con.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
+  }
+
   if (allow_renegotiation_) {
     SSL_set_renegotiate_mode(ssl_con.get(), ssl_renegotiate_freely);
   }
diff --git a/source/extensions/transport_sockets/tls/context_impl.h b/source/extensions/transport_sockets/tls/context_impl.h
index 57c8ffbdec350..c4cf67d6cfa8a 100644
--- a/source/extensions/transport_sockets/tls/context_impl.h
+++ b/source/extensions/transport_sockets/tls/context_impl.h
@@ -5,6 +5,7 @@
 #include <string>
 #include <vector>
 
+#include "envoy/network/transport_socket.h"
 #include "envoy/ssl/context.h"
 #include "envoy/ssl/context_config.h"
 #include "envoy/stats/scope.h"
@@ -46,7 +47,7 @@ struct SslStats {
 
 class ContextImpl : public virtual Envoy::Ssl::Context {
 public:
-  virtual bssl::UniquePtr<SSL> newSsl(absl::optional<std::string> override_server_name);
+  virtual bssl::UniquePtr<SSL> newSsl(const Network::TransportSocketOptions* options);
 
   /**
    * Logs successful TLS handshake and updates stats.
@@ -94,7 +95,7 @@ class ContextImpl : public virtual Envoy::Ssl::Context {
   // A SSL_CTX_set_cert_verify_callback for custom cert validation.
   static int verifyCallback(X509_STORE_CTX* store_ctx, void* arg);
 
-  int verifyCertificate(X509* cert);
+  int verifyCertificate(X509* cert, const std::vector<std::string>& verify_san_list);
 
   /**
    * Verifies certificate hash for pinning. The hash is a hex-encoded SHA-256 of the DER-encoded
@@ -168,7 +169,7 @@ class ClientContextImpl : public ContextImpl, public Envoy::Ssl::ClientContext {
   ClientContextImpl(Stats::Scope& scope, const Envoy::Ssl::ClientContextConfig& config,
                     TimeSource& time_source);
 
-  bssl::UniquePtr<SSL> newSsl(absl::optional<std::string> override_server_name) override;
+  bssl::UniquePtr<SSL> newSsl(const Network::TransportSocketOptions* options) override;
 
 private:
   int newSessionKey(SSL_SESSION* session);
diff --git a/source/extensions/transport_sockets/tls/ssl_socket.cc b/source/extensions/transport_sockets/tls/ssl_socket.cc
index 519495a1b76b8..d6b63be7d0918 100644
--- a/source/extensions/transport_sockets/tls/ssl_socket.cc
+++ b/source/extensions/transport_sockets/tls/ssl_socket.cc
@@ -43,11 +43,10 @@ class NotReadySslSocket : public Network::TransportSocket {
 } // namespace
 
 SslSocket::SslSocket(Envoy::Ssl::ContextSharedPtr ctx, InitialState state,
-                     Network::TransportSocketOptionsSharedPtr transport_socket_options)
-    : ctx_(std::dynamic_pointer_cast<ContextImpl>(ctx)),
-      ssl_(ctx_->newSsl(transport_socket_options != nullptr
-                            ? transport_socket_options->serverNameOverride()
-                            : absl::nullopt)) {
+                     const Network::TransportSocketOptionsSharedPtr& transport_socket_options)
+    : transport_socket_options_(transport_socket_options),
+      ctx_(std::dynamic_pointer_cast<ContextImpl>(ctx)),
+      ssl_(ctx_->newSsl(transport_socket_options_.get())) {
   if (state == InitialState::Client) {
     SSL_set_connect_state(ssl_.get());
   } else {
diff --git a/source/extensions/transport_sockets/tls/ssl_socket.h b/source/extensions/transport_sockets/tls/ssl_socket.h
index 7b00ba406387f..549ffbf83696f 100644
--- a/source/extensions/transport_sockets/tls/ssl_socket.h
+++ b/source/extensions/transport_sockets/tls/ssl_socket.h
@@ -44,7 +44,7 @@ class SslSocket : public Network::TransportSocket,
                   protected Logger::Loggable<Logger::Id::connection> {
 public:
   SslSocket(Envoy::Ssl::ContextSharedPtr ctx, InitialState state,
-            Network::TransportSocketOptionsSharedPtr transport_socket_options);
+            const Network::TransportSocketOptionsSharedPtr& transport_socket_options);
 
   // Ssl::ConnectionInfo
   bool peerCertificatePresented() const override;
@@ -90,6 +90,7 @@ class SslSocket : public Network::TransportSocket,
   void drainErrorQueue();
   void shutdownSsl();
 
+  const Network::TransportSocketOptionsSharedPtr transport_socket_options_;
   Network::TransportSocketCallbacks* callbacks_{};
   ContextImplSharedPtr ctx_;
   bssl::UniquePtr<SSL> ssl_;
diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD
index a9aa938dbb332..7bbf8314c71e6 100644
--- a/test/common/upstream/BUILD
+++ b/test/common/upstream/BUILD
@@ -300,15 +300,6 @@ envoy_cc_test(
     ],
 )
 
-envoy_cc_test(
-    name = "logical_host_test",
-    srcs = ["logical_host_test.cc"],
-    deps = [
-        "//source/common/upstream:logical_host_lib",
-        "//test/mocks/upstream:cluster_info_mocks",
-    ],
-)
-
 envoy_cc_test(
     name = "ring_hash_lb_test",
     srcs = ["ring_hash_lb_test.cc"],
diff --git a/test/common/upstream/logical_host_test.cc b/test/common/upstream/logical_host_test.cc
deleted file mode 100644
index 17b2fc4d91ca2..0000000000000
--- a/test/common/upstream/logical_host_test.cc
+++ /dev/null
@@ -1,79 +0,0 @@
-#include "common/upstream/logical_host.h"
-
-#include "test/mocks/upstream/cluster_info.h"
-
-using testing::InSequence;
-
-namespace Envoy {
-namespace Upstream {
-
-TEST(ClusterInfoWrapperTest, PassThrough) {
-  InSequence s;
-
-  auto cluster_info = std::make_shared<MockClusterInfo>();
-  ClusterInfoWrapper wrapper(cluster_info);
-
-  EXPECT_CALL(*cluster_info, addedViaApi());
-  wrapper.addedViaApi();
-  EXPECT_CALL(*cluster_info, connectTimeout());
-  wrapper.connectTimeout();
-  EXPECT_CALL(*cluster_info, idleTimeout());
-  wrapper.idleTimeout();
-  EXPECT_CALL(*cluster_info, perConnectionBufferLimitBytes());
-  wrapper.perConnectionBufferLimitBytes();
-  EXPECT_CALL(*cluster_info, features());
-  wrapper.features();
-  EXPECT_CALL(*cluster_info, http2Settings());
-  wrapper.http2Settings();
-  EXPECT_CALL(*cluster_info, lbConfig());
-  wrapper.lbConfig();
-  EXPECT_CALL(*cluster_info, lbType());
-  wrapper.lbType();
-  EXPECT_CALL(*cluster_info, type());
-  wrapper.type();
-  EXPECT_CALL(*cluster_info, clusterType());
-  wrapper.clusterType();
-  EXPECT_CALL(*cluster_info, lbLeastRequestConfig());
-  wrapper.lbLeastRequestConfig();
-  EXPECT_CALL(*cluster_info, lbRingHashConfig());
-  wrapper.lbRingHashConfig();
-  EXPECT_CALL(*cluster_info, lbOriginalDstConfig());
-  wrapper.lbOriginalDstConfig();
-  EXPECT_CALL(*cluster_info, maintenanceMode());
-  wrapper.maintenanceMode();
-  EXPECT_CALL(*cluster_info, maxRequestsPerConnection());
-  wrapper.maxRequestsPerConnection();
-  EXPECT_CALL(*cluster_info, name());
-  wrapper.name();
-  EXPECT_CALL(*cluster_info, resourceManager(ResourcePriority::High));
-  wrapper.resourceManager(ResourcePriority::High);
-  EXPECT_CALL(*cluster_info, transportSocketFactory());
-  wrapper.transportSocketFactory();
-  EXPECT_CALL(*cluster_info, stats());
-  wrapper.stats();
-  EXPECT_CALL(*cluster_info, statsScope());
-  wrapper.statsScope();
-  EXPECT_CALL(*cluster_info, loadReportStats());
-  wrapper.loadReportStats();
-  EXPECT_CALL(*cluster_info, sourceAddress());
-  wrapper.sourceAddress();
-  EXPECT_CALL(*cluster_info, lbSubsetInfo());
-  wrapper.lbSubsetInfo();
-  EXPECT_CALL(*cluster_info, metadata());
-  wrapper.metadata();
-  EXPECT_CALL(*cluster_info, typedMetadata());
-  wrapper.typedMetadata();
-  EXPECT_CALL(*cluster_info, clusterSocketOptions());
-  wrapper.clusterSocketOptions();
-  EXPECT_CALL(*cluster_info, drainConnectionsOnHostRemoval());
-  wrapper.drainConnectionsOnHostRemoval();
-  EXPECT_CALL(*cluster_info, warmHosts());
-  wrapper.warmHosts();
-  EXPECT_CALL(*cluster_info, eds_service_name());
-  wrapper.eds_service_name();
-  EXPECT_CALL(*cluster_info, extensionProtocolOptions("foo"));
-  wrapper.extensionProtocolOptions("foo");
-}
-
-} // namespace Upstream
-} // namespace Envoy
diff --git a/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc b/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc
index d15870581e24f..6d8db1e762b73 100644
--- a/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc
+++ b/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc
@@ -67,6 +67,7 @@ class ClusterTest : public testing::Test,
 
     // Allow touch() to still be strict.
     EXPECT_CALL(*host_map_[host], address()).Times(AtLeast(0));
+    EXPECT_CALL(*host_map_[host], resolvedHost()).Times(AtLeast(0));
   }
 
   void updateTestHostAddress(const std::string& host, const std::string& address) {
diff --git a/test/extensions/common/dynamic_forward_proxy/mocks.cc b/test/extensions/common/dynamic_forward_proxy/mocks.cc
index f2d6c207c009c..9fc2137943343 100644
--- a/test/extensions/common/dynamic_forward_proxy/mocks.cc
+++ b/test/extensions/common/dynamic_forward_proxy/mocks.cc
@@ -3,6 +3,7 @@
 using testing::_;
 using testing::Return;
 using testing::ReturnPointee;
+using testing::ReturnRef;
 
 namespace Envoy {
 namespace Extensions {
@@ -22,6 +23,7 @@ MockDnsCacheManager::~MockDnsCacheManager() = default;
 
 MockDnsHostInfo::MockDnsHostInfo() {
   ON_CALL(*this, address()).WillByDefault(ReturnPointee(&address_));
+  ON_CALL(*this, resolvedHost()).WillByDefault(ReturnRef(resolved_host_));
 }
 MockDnsHostInfo::~MockDnsHostInfo() = default;
 
diff --git a/test/extensions/common/dynamic_forward_proxy/mocks.h b/test/extensions/common/dynamic_forward_proxy/mocks.h
index 8078abada11c4..0c65895c1f7dd 100644
--- a/test/extensions/common/dynamic_forward_proxy/mocks.h
+++ b/test/extensions/common/dynamic_forward_proxy/mocks.h
@@ -66,6 +66,7 @@ class MockDnsHostInfo : public DnsHostInfo {
   MOCK_METHOD0(touch, void());
 
   Network::Address::InstanceConstSharedPtr address_;
+  std::string resolved_host_;
 };
 
 class MockUpdateCallbacks : public DnsCache::UpdateCallbacks {
diff --git a/test/mocks/upstream/cluster_info.cc b/test/mocks/upstream/cluster_info.cc
index 9bf6d3e98d671..d34c8fa20fe16 100644
--- a/test/mocks/upstream/cluster_info.cc
+++ b/test/mocks/upstream/cluster_info.cc
@@ -66,7 +66,6 @@ MockClusterInfo::MockClusterInfo()
   ON_CALL(*this, sourceAddress()).WillByDefault(ReturnRef(source_address_));
   ON_CALL(*this, lbSubsetInfo()).WillByDefault(ReturnRef(lb_subset_));
   ON_CALL(*this, lbRingHashConfig()).WillByDefault(ReturnRef(lb_ring_hash_config_));
-  ON_CALL(*this, lbLeastRequestConfig()).WillByDefault(ReturnRef(lb_least_request_config_));
   ON_CALL(*this, lbOriginalDstConfig()).WillByDefault(ReturnRef(lb_original_dst_config_));
   ON_CALL(*this, lbConfig()).WillByDefault(ReturnRef(lb_config_));
   ON_CALL(*this, clusterSocketOptions()).WillByDefault(ReturnRef(cluster_socket_options_));
diff --git a/test/mocks/upstream/cluster_info.h b/test/mocks/upstream/cluster_info.h
index 9342b79fcdbdd..46b318c3f36d3 100644
--- a/test/mocks/upstream/cluster_info.h
+++ b/test/mocks/upstream/cluster_info.h
@@ -125,7 +125,6 @@ class MockClusterInfo : public ClusterInfo {
   absl::optional<envoy::api::v2::Cluster::CustomClusterType> cluster_type_;
   NiceMock<MockLoadBalancerSubsetInfo> lb_subset_;
   absl::optional<envoy::api::v2::Cluster::RingHashLbConfig> lb_ring_hash_config_;
-  absl::optional<envoy::api::v2::Cluster::LeastRequestLbConfig> lb_least_request_config_;
   absl::optional<envoy::api::v2::Cluster::OriginalDstLbConfig> lb_original_dst_config_;
   Network::ConnectionSocket::OptionsSharedPtr cluster_socket_options_;
   envoy::api::v2::Cluster::CommonLbConfig lb_config_;