Hi all,
situation is:
1, pod f.i. “pytime” in namespace “test”
2, istio default PeerAuthentication on namespace “test” with mtls.mode=STRICT
3, connections inside namespace “test” works just fine and are secured by TLS
4, but when I try to access service running in pod “pytime” from outside (outside of the cluster or from other namespace without TLS) with curl it fails with:
kovi@kubm1:~$ curl -k -v https://10.177.154.100:8080/
- Trying 10.177.154.100…
- TCP_NODELAY set
- Connected to 10.177.154.100 (10.177.154.100) port 8080 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs - TLSv1.2 (OUT), TLS header, Certificate Status (22):
- TLSv1.2 (OUT), TLS handshake, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- TLSv1.2 (IN), TLS handshake, Request CERT (13):
- TLSv1.2 (IN), TLS handshake, Server finished (14):
- TLSv1.2 (OUT), TLS handshake, Certificate (11):
- TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
- TLSv1.2 (OUT), TLS change cipher, Client hello (1):
- TLSv1.2 (OUT), TLS handshake, Finished (20):
- TLSv1.2 (IN), TLS alert, Server hello (2):
- error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
- Curl_http_done: called premature == 1
- stopped the pause stream!
- Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
kovi@kubm1:~$
What is the “proper way” (either with authorization on client certificate or without authorization)?
DestinationRule accepting any client? Or Gateway and AuthorizationPolicy? Any example?
Thank you in advance, Michal