diff --git a/networking/v1/destination_rule.pb.go b/networking/v1/destination_rule.pb.go
index 9ead81a5b4d..8aa89bb168b 100644
--- a/networking/v1/destination_rule.pb.go
+++ b/networking/v1/destination_rule.pb.go
@@ -1264,7 +1264,8 @@ type ClientTLSSettings struct {
 	PrivateKey string `protobuf:"bytes,3,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
 	// OPTIONAL: The path to the file containing certificate authority
 	// certificates to use in verifying a presented server certificate. If
-	// omitted, the proxy will not verify the server's certificate.
+	// omitted, the proxy will verify the server's certificate using
+	// the OS CA certificates.
 	// Should be empty if mode is `ISTIO_MUTUAL`.
 	CaCertificates string `protobuf:"bytes,4,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
 	// The name of the secret that holds the TLS certs for the
@@ -1293,26 +1294,15 @@ type ClientTLSSettings struct {
 	// If specified, this list overrides the value of subject_alt_names
 	// from the ServiceEntry. If unspecified, automatic validation of upstream
 	// presented certificate for new upstream connections will be done based on the
-	// downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-	// and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+	// downstream HTTP host/authority header.
 	SubjectAltNames []string `protobuf:"bytes,5,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"`
 	// SNI string to present to the server during TLS handshake.
 	// If unspecified, SNI will be automatically set based on downstream HTTP
-	// host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-	// environmental variable is set to `true`.
+	// host/authority header for SIMPLE and MUTUAL TLS modes.
 	Sni string `protobuf:"bytes,6,opt,name=sni,proto3" json:"sni,omitempty"`
 	// `insecureSkipVerify` specifies whether the proxy should skip verifying the
 	// CA signature and SAN for the server certificate corresponding to the host.
-	// This flag should only be set if global CA signature verification is
-	// enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-	// but no verification is desired for a specific host. If enabled with or
-	// without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-	// SAN will be skipped.
-	//
-	// `insecureSkipVerify` is `false` by default.
-	// `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-	// be `true` by default in a later version where, going forward, it will be
-	// enabled by default.
+	// The default value of this field is false.
 	InsecureSkipVerify *wrappers.BoolValue `protobuf:"bytes,8,opt,name=insecure_skip_verify,json=insecureSkipVerify,proto3" json:"insecure_skip_verify,omitempty"`
 	// OPTIONAL: The path to the file containing the certificate revocation list (CRL)
 	// to use in verifying a presented server certificate. `CRL` is a list of certificates
diff --git a/networking/v1/destination_rule.proto b/networking/v1/destination_rule.proto
index ad346907758..6c92b40296f 100644
--- a/networking/v1/destination_rule.proto
+++ b/networking/v1/destination_rule.proto
@@ -829,7 +829,8 @@ message ClientTLSSettings {
 
   // OPTIONAL: The path to the file containing certificate authority
   // certificates to use in verifying a presented server certificate. If
-  // omitted, the proxy will not verify the server's certificate.
+  // omitted, the proxy will verify the server's certificate using
+  // the OS CA certificates.
   // Should be empty if mode is `ISTIO_MUTUAL`.
   string ca_certificates = 4;
 
@@ -860,28 +861,17 @@ message ClientTLSSettings {
   // If specified, this list overrides the value of subject_alt_names
   // from the ServiceEntry. If unspecified, automatic validation of upstream
   // presented certificate for new upstream connections will be done based on the
-  // downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-  // and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+  // downstream HTTP host/authority header.
   repeated string subject_alt_names = 5;
 
   // SNI string to present to the server during TLS handshake.
   // If unspecified, SNI will be automatically set based on downstream HTTP
-  // host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-  // environmental variable is set to `true`.
+  // host/authority header for SIMPLE and MUTUAL TLS modes.
   string sni = 6;
 
   // `insecureSkipVerify` specifies whether the proxy should skip verifying the
   // CA signature and SAN for the server certificate corresponding to the host.
-  // This flag should only be set if global CA signature verification is
-  // enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-  // but no verification is desired for a specific host. If enabled with or
-  // without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-  // SAN will be skipped.
-  //
-  // `insecureSkipVerify` is `false` by default.
-  // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-  // be `true` by default in a later version where, going forward, it will be
-  // enabled by default.
+  // The default value of this field is false.
   google.protobuf.BoolValue insecure_skip_verify = 8;
 
   // OPTIONAL: The path to the file containing the certificate revocation list (CRL)
diff --git a/networking/v1alpha3/destination_rule.pb.go b/networking/v1alpha3/destination_rule.pb.go
index 9b89b4e2e3b..48ff4a6890c 100644
--- a/networking/v1alpha3/destination_rule.pb.go
+++ b/networking/v1alpha3/destination_rule.pb.go
@@ -1288,7 +1288,8 @@ type ClientTLSSettings struct {
 	PrivateKey string `protobuf:"bytes,3,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
 	// OPTIONAL: The path to the file containing certificate authority
 	// certificates to use in verifying a presented server certificate. If
-	// omitted, the proxy will not verify the server's certificate.
+	// omitted, the proxy will verify the server's certificate using
+	// the OS CA certificates.
 	// Should be empty if mode is `ISTIO_MUTUAL`.
 	CaCertificates string `protobuf:"bytes,4,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
 	// The name of the secret that holds the TLS certs for the
@@ -1317,26 +1318,15 @@ type ClientTLSSettings struct {
 	// If specified, this list overrides the value of subject_alt_names
 	// from the ServiceEntry. If unspecified, automatic validation of upstream
 	// presented certificate for new upstream connections will be done based on the
-	// downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-	// and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+	// downstream HTTP host/authority header.
 	SubjectAltNames []string `protobuf:"bytes,5,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"`
 	// SNI string to present to the server during TLS handshake.
 	// If unspecified, SNI will be automatically set based on downstream HTTP
-	// host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-	// environmental variable is set to `true`.
+	// host/authority header for SIMPLE and MUTUAL TLS modes.
 	Sni string `protobuf:"bytes,6,opt,name=sni,proto3" json:"sni,omitempty"`
 	// `insecureSkipVerify` specifies whether the proxy should skip verifying the
 	// CA signature and SAN for the server certificate corresponding to the host.
-	// This flag should only be set if global CA signature verification is
-	// enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-	// but no verification is desired for a specific host. If enabled with or
-	// without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-	// SAN will be skipped.
-	//
-	// `insecureSkipVerify` is `false` by default.
-	// `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-	// be `true` by default in a later version where, going forward, it will be
-	// enabled by default.
+	// The default value of this field is false.
 	InsecureSkipVerify *wrappers.BoolValue `protobuf:"bytes,8,opt,name=insecure_skip_verify,json=insecureSkipVerify,proto3" json:"insecure_skip_verify,omitempty"`
 	// OPTIONAL: The path to the file containing the certificate revocation list (CRL)
 	// to use in verifying a presented server certificate. `CRL` is a list of certificates
diff --git a/networking/v1alpha3/destination_rule.pb.html b/networking/v1alpha3/destination_rule.pb.html
index 1105a0000c5..3e34e2b7cd6 100644
--- a/networking/v1alpha3/destination_rule.pb.html
+++ b/networking/v1alpha3/destination_rule.pb.html
@@ -818,7 +818,8 @@ <h2 id="ClientTLSSettings">ClientTLSSettings</h2>
 <td>
 <p>OPTIONAL: The path to the file containing certificate authority
 certificates to use in verifying a presented server certificate. If
-omitted, the proxy will not verify the server&rsquo;s certificate.
+omitted, the proxy will verify the server&rsquo;s certificate using
+the OS CA certificates.
 Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p>
 
 </td>
@@ -864,8 +865,7 @@ <h2 id="ClientTLSSettings">ClientTLSSettings</h2>
 If specified, this list overrides the value of subject_alt_names
 from the ServiceEntry. If unspecified, automatic validation of upstream
 presented certificate for new upstream connections will be done based on the
-downstream HTTP host/authority header, provided <code>VERIFY_CERTIFICATE_AT_CLIENT</code>
-and <code>ENABLE_AUTO_SNI</code> environmental variables are set to <code>true</code>.</p>
+downstream HTTP host/authority header.</p>
 
 </td>
 <td>
@@ -878,8 +878,7 @@ <h2 id="ClientTLSSettings">ClientTLSSettings</h2>
 <td>
 <p>SNI string to present to the server during TLS handshake.
 If unspecified, SNI will be automatically set based on downstream HTTP
-host/authority header for SIMPLE and MUTUAL TLS modes, provided <code>ENABLE_AUTO_SNI</code>
-environmental variable is set to <code>true</code>.</p>
+host/authority header for SIMPLE and MUTUAL TLS modes.</p>
 
 </td>
 <td>
@@ -892,15 +891,7 @@ <h2 id="ClientTLSSettings">ClientTLSSettings</h2>
 <td>
 <p><code>insecureSkipVerify</code> specifies whether the proxy should skip verifying the
 CA signature and SAN for the server certificate corresponding to the host.
-This flag should only be set if global CA signature verification is
-enabled, <code>VERIFY_CERTIFICATE_AT_CLIENT</code> environmental variable is set to <code>true</code>,
-but no verification is desired for a specific host. If enabled with or
-without <code>VERIFY_CERTIFICATE_AT_CLIENT</code> enabled, verification of the CA signature and
-SAN will be skipped.</p>
-<p><code>insecureSkipVerify</code> is <code>false</code> by default.
-<code>VERIFY_CERTIFICATE_AT_CLIENT</code> is <code>false</code> by default in Istio version 1.9 but will
-be <code>true</code> by default in a later version where, going forward, it will be
-enabled by default.</p>
+The default value of this field is false.</p>
 
 </td>
 <td>
diff --git a/networking/v1alpha3/destination_rule.proto b/networking/v1alpha3/destination_rule.proto
index ad51b0150e1..55149ae3a44 100644
--- a/networking/v1alpha3/destination_rule.proto
+++ b/networking/v1alpha3/destination_rule.proto
@@ -853,7 +853,8 @@ message ClientTLSSettings {
 
   // OPTIONAL: The path to the file containing certificate authority
   // certificates to use in verifying a presented server certificate. If
-  // omitted, the proxy will not verify the server's certificate.
+  // omitted, the proxy will verify the server's certificate using
+  // the OS CA certificates.
   // Should be empty if mode is `ISTIO_MUTUAL`.
   string ca_certificates = 4;
 
@@ -884,28 +885,17 @@ message ClientTLSSettings {
   // If specified, this list overrides the value of subject_alt_names
   // from the ServiceEntry. If unspecified, automatic validation of upstream
   // presented certificate for new upstream connections will be done based on the
-  // downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-  // and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+  // downstream HTTP host/authority header.
   repeated string subject_alt_names = 5;
 
   // SNI string to present to the server during TLS handshake.
   // If unspecified, SNI will be automatically set based on downstream HTTP
-  // host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-  // environmental variable is set to `true`.
+  // host/authority header for SIMPLE and MUTUAL TLS modes.
   string sni = 6;
 
   // `insecureSkipVerify` specifies whether the proxy should skip verifying the
   // CA signature and SAN for the server certificate corresponding to the host.
-  // This flag should only be set if global CA signature verification is
-  // enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-  // but no verification is desired for a specific host. If enabled with or
-  // without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-  // SAN will be skipped.
-  //
-  // `insecureSkipVerify` is `false` by default.
-  // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-  // be `true` by default in a later version where, going forward, it will be
-  // enabled by default.
+  // The default value of this field is false.
   google.protobuf.BoolValue insecure_skip_verify = 8;
 
   // OPTIONAL: The path to the file containing the certificate revocation list (CRL)
diff --git a/networking/v1beta1/destination_rule.pb.go b/networking/v1beta1/destination_rule.pb.go
index cad2f3855e7..20af2733760 100644
--- a/networking/v1beta1/destination_rule.pb.go
+++ b/networking/v1beta1/destination_rule.pb.go
@@ -1265,7 +1265,8 @@ type ClientTLSSettings struct {
 	PrivateKey string `protobuf:"bytes,3,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
 	// OPTIONAL: The path to the file containing certificate authority
 	// certificates to use in verifying a presented server certificate. If
-	// omitted, the proxy will not verify the server's certificate.
+	// omitted, the proxy will verify the server's certificate using
+	// the OS CA certificates.
 	// Should be empty if mode is `ISTIO_MUTUAL`.
 	CaCertificates string `protobuf:"bytes,4,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
 	// The name of the secret that holds the TLS certs for the
@@ -1294,26 +1295,15 @@ type ClientTLSSettings struct {
 	// If specified, this list overrides the value of subject_alt_names
 	// from the ServiceEntry. If unspecified, automatic validation of upstream
 	// presented certificate for new upstream connections will be done based on the
-	// downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-	// and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+	// downstream HTTP host/authority header.
 	SubjectAltNames []string `protobuf:"bytes,5,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"`
 	// SNI string to present to the server during TLS handshake.
 	// If unspecified, SNI will be automatically set based on downstream HTTP
-	// host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-	// environmental variable is set to `true`.
+	// host/authority header for SIMPLE and MUTUAL TLS modes.
 	Sni string `protobuf:"bytes,6,opt,name=sni,proto3" json:"sni,omitempty"`
 	// `insecureSkipVerify` specifies whether the proxy should skip verifying the
 	// CA signature and SAN for the server certificate corresponding to the host.
-	// This flag should only be set if global CA signature verification is
-	// enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-	// but no verification is desired for a specific host. If enabled with or
-	// without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-	// SAN will be skipped.
-	//
-	// `insecureSkipVerify` is `false` by default.
-	// `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-	// be `true` by default in a later version where, going forward, it will be
-	// enabled by default.
+	// The default value of this field is false.
 	InsecureSkipVerify *wrappers.BoolValue `protobuf:"bytes,8,opt,name=insecure_skip_verify,json=insecureSkipVerify,proto3" json:"insecure_skip_verify,omitempty"`
 	// OPTIONAL: The path to the file containing the certificate revocation list (CRL)
 	// to use in verifying a presented server certificate. `CRL` is a list of certificates
diff --git a/networking/v1beta1/destination_rule.proto b/networking/v1beta1/destination_rule.proto
index 0274d8859ac..6af998274ab 100644
--- a/networking/v1beta1/destination_rule.proto
+++ b/networking/v1beta1/destination_rule.proto
@@ -830,7 +830,8 @@ message ClientTLSSettings {
 
   // OPTIONAL: The path to the file containing certificate authority
   // certificates to use in verifying a presented server certificate. If
-  // omitted, the proxy will not verify the server's certificate.
+  // omitted, the proxy will verify the server's certificate using
+  // the OS CA certificates.
   // Should be empty if mode is `ISTIO_MUTUAL`.
   string ca_certificates = 4;
 
@@ -861,28 +862,17 @@ message ClientTLSSettings {
   // If specified, this list overrides the value of subject_alt_names
   // from the ServiceEntry. If unspecified, automatic validation of upstream
   // presented certificate for new upstream connections will be done based on the
-  // downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-  // and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+  // downstream HTTP host/authority header.
   repeated string subject_alt_names = 5;
 
   // SNI string to present to the server during TLS handshake.
   // If unspecified, SNI will be automatically set based on downstream HTTP
-  // host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-  // environmental variable is set to `true`.
+  // host/authority header for SIMPLE and MUTUAL TLS modes.
   string sni = 6;
 
   // `insecureSkipVerify` specifies whether the proxy should skip verifying the
   // CA signature and SAN for the server certificate corresponding to the host.
-  // This flag should only be set if global CA signature verification is
-  // enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-  // but no verification is desired for a specific host. If enabled with or
-  // without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-  // SAN will be skipped.
-  //
-  // `insecureSkipVerify` is `false` by default.
-  // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-  // be `true` by default in a later version where, going forward, it will be
-  // enabled by default.
+  // The default value of this field is false.
   google.protobuf.BoolValue insecure_skip_verify = 8;
 
   // OPTIONAL: The path to the file containing the certificate revocation list (CRL)