I am currently experiencing an issue where any outbound HTTPS traffic to an external endpoint that goes through the istio-proxy
sidecar container results in the following SSL error:
# curl https://www.google.com
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
I have the following config in place:
operator.istio.io/version=1.7.8
meshConfig.outboundTrafficPolicy: mode ALLOW_ANY
PeerAuthentication mtls mode: PERMISSIVE (but the same occurs with STRICT as well)
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: tls-google.com
namespace: istio-system
spec:
hosts:
- www.google.com
location: MESH_EXTERNAL
ports:
- name: https
number: 443
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: tls-google.com
namespace: istio-system
spec:
host: www.google.com
trafficPolicy:
tls:
mode: SIMPLE
Checking the virtual hosts in the envoy config, the only virtual host for 443 is the pass through cluster:
"name": "443",
"virtual_hosts": [
{
"name": "allow_any",
"domains": [
"*"
],
This appears to be another occurrence of the issue from issue 16458 however none of the workaround steps proposed in that issue appear to be working in this scenario.