Curl gnutls_handshake() failed: an unexpected tls packet was received

When I attempt to curl a service via https://service from a sidecar proxy container in the mesh I receive

curl gnutls_handshake() failed: an unexpected tls packet was received.

When I curl it via http://service:443 it returns plaintext.

I have ISTIO_MUTUAL enabled for MTLS.

Is this the intended behavior? How do I encrypt connections to the service over https from within the mesh?

Experiencing this as well. istioctl authn tls-check shows no conflicts.

Have SDS enabled, could it have something to do with it?