If Istio ingress gateway support different TLS according to different request URL?

Security
1

Hello experts,
Currently, if Istio ingress gateway support different TLS authentication according to different request URL? For example, I use the same port 443 as TLS port. The request URL …/dummy/example-1 use TLS certificate 1, and …/dummy/example-2 use TLS certificate 2. By the way, I find Ingress Gateway only configure one set TLS CA for specific port(eg.443).
If there are some methods to use different TLS CA to verify different requests when use the same port and different URL?

Thanks,

2

Hi @ShileiGuo,

Unfortunately what you are asking for can’t really be done. The certificate needs to be provided during the TLS handshake, which happens before any information about the URL path is exchanged, so there is no way to choose the certificate based on the path. You can, however, use different certificates for different hostnames.

Cheers,
Spike

4 
 Thanks @spikecurtis, 
 If can i use the same port(eg:443) but different FQDN to configure multiple set TLS Cert ? All the different FQDN  map to one Host. Then client send request with different FQDN to access to the same host.  I will configure different TLS Cert in gateway by different host(FQDN).
if it is viable for above solution?
5

Yes, you can, here is a task that shows it https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/#configure-a-tls-ingress-gateway-for-multiple-hosts

6

Hi @vadimeisenbergibm
I try to use above method to configure TLS. But I always get 503 response code by curl. I use h2c protocal in backend Pod, Following is the simple configuration.

%E5%9B%BE%E7%89%87
%E5%9B%BE%E7%89%871157×790 17.1 KB


CApath: none

  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  • ALPN, server accepted to use h2
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x14f4fb0)
  • Connection state changed (MAX_CONCURRENT_STREAMS updated)!
    < HTTP/2 503
    < content-length: 91
    < content-type: text/plain
    < date: Tue, 06 Aug 2019 07:41:49 GMT
    < server: istio-envoy
    <

Backend Pod Log info
2019/08/06 07:27:26 http2: server: error reading preface from client 192.168.240.40:36548: bogus greeting “\x16\x03\x01\x00\xd7\x01\x00\x00\xd3\x03\x03=̃\xacS\x01&.\xe2\xba-U\xef”
2019/08/06 07:27:26 http2: server: error reading preface from client 192.168.240.40:36556: bogus greeting “\x16\x03\x01\x00\xd7\x01\x00\x00\xd3\x03\x039\xc0\x05\xcb\x05\xcbIٛ\x9f\x80\xba\x01”
2019/08/06 07:41:49 http2: server: error reading preface from client 192.168.240.40:56376: bogus greeting “\x16\x03\x01\x00\xd7\x01\x00\x00\xd3\x03\x03\xaeh\xa0!\\x97\xefo/\xf3\b\xc4\xe5”
2019/08/06 07:41:49 http2: server: error reading preface from client 192.168.240.40:56378: bogus greeting “\x16\x03\x01\x00\xd7\x01\x00\x00\xd3\x03\x03\x9c踗\xeb\xd9\xe3\x1e\xc0]\xccca”

7

Hi @vadimeisenbergibm
For the response code 503, I uninstall istio 1.2.0 and install istio 1.2.2. Currently, The issue is solved.