How to allow tls_renegotiation via envoy-filter

Can someone help me to piece together https://istio.io/docs/reference/config/networking/envoy-filter/ and https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto to allow tls_renegotiation on a specific outgoing domain via egress mtls origination?

I have several 3rd party services for which istio mtls origination via egress gateway works flawlessly and am debugging one that doesnt. istio retries 3 times, throws 503UC.

I am struggling to piece together a config snippet to allow renegotation for this specific route (single domain, egress mtls origination)
unfortunately i cannot figure out valid use case out of istio documentation page.

(my personal feeling is that https://istio.io/docs/reference/config/networking/envoy-filter/ is targeted at istio-developers rather than users. The amount of permutations/options to brute-force thru is gargantuan and the page really doesnt care to explain the constructs. I cant be the only person thinking that about istio docs, am i?)

2020-02-26 22:22:20.817][55][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:201] [C112] TLS error: 268435638:SSL routines:OPENSSL_internal:NO_RENEGOTIATION 268435650:SSL routines:OPENSSL_internal:PROTOCOL_IS_SHUTDOWN
[2020-02-26 22:22:20.817][55][debug][client] [external/envoy/source/common/http/codec_client.cc:82] [C112] disconnect. resetting 1 pending requests
[2020-02-26 22:22:20.817][55][debug][client] [external/envoy/source/common/http/codec_client.cc:105] [C112] request reset

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: allow-tls-renegotiation
spec:
  workloadSelector:
    labels:
      istio: egressgateway
  configPatches:
    - applyTo: FILTER_CHAIN
      match:
        context: GATEWAY
        listener:
          filterChain:
            sni: <domain>
      patch:
        operation: MERGE
        value:
          transport_socket:
            name: tls
            typed_config:
              "@type": type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext
              allow_renegotiation: true

Thanks for all help!

Bump… Anyone? This is still a problem :slight_smile:

Bump… Anyone? This is still a problem :slight_smile: