Enabling mTLS results in SSL handshake error

Security
1

Hi,

I am trying to setup mutual TLS between two of my services. Here’s how I tried.

  1. Setup permissive policy and tls disabled destinationrule on both services. Services can talk to each other.
  2. Changed destination rule of Service B to tls only. Services can still talk to each other.
  3. Changed policy on Service B and I immediately start getting SSL handshake error.

Here’s log snippets from istio-proxy of Service A and B

[2019-05-30 12:48:35.477][20][debug][main] [external/envoy/source/server/connection_handler_impl.cc:257] [C91] new connection
[2019-05-30 12:48:35.477][20][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:142] [C91] handshake error: 1
[2019-05-30 12:48:35.477][20][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:175] [C91] TLS error: 268435612:SSL routines:OPENSSL_internal:HTTP_REQUEST

I am not using any custom certificates. Just trying to use the MTLS out of the box.

I am using Istio version 1.1.7

Any pointers?

2

@leitang Could you help take a look?

3

Hi ukdvivek,
Can you list the authPolicy and destRule? does this one work for you? https://istio.io/docs/tasks/security/mtls-migration/#lock-down-to-mutual-tls-optional

4

Hi ukdvivek,
https://istio.io/docs/tasks/security/authn-policy/ has a guide for “Globally enabling Istio mutual TLS” and a guide for “Enable mutual TLS per namespace or service”. Can you try these guides for enabling mTLS?

5

Hi Guys,
Yes, I have tried all the options mentioned in the istio documentation but with no success.

Here’s the policy and destination rule for smaas-service

apiVersion: v1
items:
- apiVersion: authentication.istio.io/v1alpha1
  kind: Policy
  metadata:
    creationTimestamp: "2019-06-13T02:13:40Z"
    generation: 1
    name: default
    namespace: smaas-service
    resourceVersion: "4367"
    selfLink: /apis/authentication.istio.io/v1alpha1/namespaces/smaas-service/policies/default
    uid: dc2c9469-8d80-11e9-9bb5-020b1c2fd1e6
  spec:
    peers:
    - mtls:
        mode: STRICT
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

apiVersion: v1
items:
- apiVersion: networking.istio.io/v1alpha3
  kind: DestinationRule
  metadata:
    creationTimestamp: "2019-06-13T02:13:40Z"
    generation: 1
    name: default
    namespace: smaas-service
    resourceVersion: "4362"
    selfLink: /apis/networking.istio.io/v1alpha3/namespaces/smaas-service/destinationrules/default
    uid: dc2a0395-8d80-11e9-9bb5-020b1c2fd1e6
  spec:
    host: '*.smaas-service.svc.cluster.local'
    trafficPolicy:
      tls:
        mode: ISTIO_MUTUAL
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

And here’s the policy and destination rule for cse-service

apiVersion: v1
items:
- apiVersion: authentication.istio.io/v1alpha1
  kind: Policy
  metadata:
    creationTimestamp: "2019-06-13T02:13:39Z"
    generation: 1
    name: default
    namespace: cse-service
    resourceVersion: "4331"
    selfLink: /apis/authentication.istio.io/v1alpha1/namespaces/cse-service/policies/default
    uid: db8c90a7-8d80-11e9-9bb5-020b1c2fd1e6
  spec:
    peers:
    - mtls:
        mode: STRICT
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

apiVersion: v1
items:
- apiVersion: networking.istio.io/v1alpha3
  kind: DestinationRule
  metadata:
    creationTimestamp: "2019-06-13T02:13:39Z"
    generation: 1
    name: default
    namespace: cse-service
    resourceVersion: "4329"
    selfLink: /apis/networking.istio.io/v1alpha3/namespaces/cse-service/destinationrules/default
    uid: db8a6285-8d80-11e9-9bb5-020b1c2fd1e6
  spec:
    host: '*.cse-service.svc.cluster.local'
    trafficPolicy:
      tls:
        mode: ISTIO_MUTUAL
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""