How does Istio allow mTLS over HTTP(port 80)

Looking at the mtls migration example: Istio / Mutual TLS Migration, I see that Istio is somehow allowing mutual TLS over a HTTP (not HTTPS) connection at port 80. I was wondering how does this work as my understanding was that certificate validation/exchange could only happen over HTTPS.

1 Like

Have not read the link, so just guessing… I imagine that service-to-service encrypted traffic actually goes from the originating pods envoy-proxy side-car to the target pods envoy-proxy side-car. The target pods envoy-proxy then decrypts the traffic and hands off the unencrypted traffic to port 80 on the target container.

I say that based on what I see from kiali’s depiction of my traffic flow, which it shows as encrypted.

I would love for someone who knows more to chime in.

I’m not sure what you mean by allowing mutual TLS over a HTTP (not HTTPS) connection, that’s not what the task is for.

If you’re referring to the PERMISSIVE mode, it just means both plain text and mTLS connection will be allowed, if a client uses plain text, it is just plain text.

also cc @incfly

mTLS is between sidecars. it has nothing to do with application traffic is HTTP or HTTPS or TCP.