External HTTPS Traffic TLS Error

I am currently experiencing an issue where any outbound HTTPS traffic to an external endpoint that goes through the istio-proxy sidecar container results in the following SSL error:

# curl https://www.google.com
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

I have the following config in place:

operator.istio.io/version=1.7.8

meshConfig.outboundTrafficPolicy: mode ALLOW_ANY

PeerAuthentication mtls mode: PERMISSIVE (but the same occurs with STRICT as well)

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: tls-google.com
  namespace: istio-system
spec:
  hosts:
  - www.google.com
  location: MESH_EXTERNAL
  ports:
  - name: https
    number: 443
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: tls-google.com
  namespace: istio-system
spec:
  host: www.google.com
  trafficPolicy:
    tls:
      mode: SIMPLE

Checking the virtual hosts in the envoy config, the only virtual host for 443 is the pass through cluster:

"name": "443",
      "virtual_hosts": [
       {
        "name": "allow_any",
        "domains": [
         "*"
        ],

This appears to be another occurrence of the issue from issue 16458 however none of the workaround steps proposed in that issue appear to be working in this scenario.

1 Like