I’m working on a small deployment recently with new istio 1.3.3 release, and find out the new options in gateway.proto, doesn’t work the way I want it to be.
the basic gateway setting is very simple, just as below:
tls: mode: SIMPLE minProtocolVersion: TLSV1_0 maxProtocolVersion: TLSV1_3
Everything looks fine to me, istioctl ps and curl -s localhost:15000/config_dump all report tls_minimum_protocol_version is set as I expect. But when I test it with a legacy curl with --tlsv1 option, request failed with NSS error -5938. Then I set the maxProtocolVersion to TLSV1_1, the request failed even without --tlsv1, and debug output looks like envoy only accept tlsv1.2 or above even if you do set minProtocolVersion as TLSV1_0.