External client to istio gateway mTLS1.3 + ed25519 client failure

Security
1

I am running istio 1.16.2 on eks.

I have successfully tested mTLS1.3, with a self-signed CA (for test purposes), and verified the certs with openssl.

works …
ca.crt (ed25519 key),server.crt (ed25519 key), client crt(rsa:4096)
ca.crt (ed25519 key),server.crt (rsa:4096 key), client crt(rsa:4096)
ca.crt (rsa:4096 key),server.crt (rsa:4096 key), client crt(rsa:4096)

fails …
ca.crt (rsa:4096 key/ed25519),server.crt (rsa:4096 key/ed25519), client crt(ed25519)

IF the client private key is created with the ed25519 algo, the mtls handshake fails. This is puzzling?

Also note that TLS with works fine.

logs …

curl -v --cacert ca.crt --cert client.crt --key client.key https://demo.bogus.net/

  • Trying 10.228.144.139:443…
  • Connected to demo.bogus.net (10.228.144.139) port 443 (#0)
  • ALPN: offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: ca.crt
  • CApath: none
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Request CERT (13):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Certificate (11):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN: server accepted h2
  • Server certificate:
  • subject: CN=demo.bogus.net
  • start date: Feb 21 21:01:57 2023 GMT
  • expire date: Feb 21 21:01:57 2024 GMT
  • subjectAltName: host “demo.bogus.net” matched cert’s “demo.bogus.net
  • issuer: CN=bogus.net
  • SSL certificate verify ok.
  • using HTTP/2
  • h2h3 [:method: GET]
  • h2h3 [:path: /]
  • h2h3 [:scheme: https]
  • h2h3 [:authority: demo.bogus.net]
  • h2h3 [user-agent: curl/7.88.1]
  • h2h3 [accept: /]
  • Using Stream ID: 1 (easy handle 0x124013200)

GET / HTTP/2
Host: demo.bogus.net
user-agent: curl/7.88.1
accept: /

  • TLSv1.3 (IN), TLS alert, unknown (628):
  • OpenSSL SSL_read: OpenSSL/1.1.1t: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0
  • Failed receiving HTTP2 data
  • Connection #0 to host demo.bogus.net left intact
    curl: (56) OpenSSL SSL_read: OpenSSL/1.1.1t: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0
2

For anyone hitting the same issue, see tls: support ed25519 for client cert digital signature · Issue #25727 · envoyproxy/envoy · GitHub