Istio Egress breaking Apache httpd reverse proxy

Networking
9

I created a container from the same httpd:2.4 image on my local computer to troubleshoot that a bit more. I could successfully make a request using the -k option.

root@43b8498882da:/usr/local/apache2# curl -k -v https://dev10.hprt.com/
*   Trying 192.168.15.50...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55a82e6ef310)
* Connected to dev10.hprt.com (192.168.15.50) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=Texas; L=Austin; O=TriNet Group Inc; CN=*.hrpt.com
*  start date: Jan 14 13:09:01 2019 GMT
*  expire date: Apr 13 13:39:01 2021 GMT
*  issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1K
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host: dev10.hprt.com
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Thu, 22 Aug 2019 16:21:10 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips OpenAM Web Agent/4.2.1.1
...
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>...</html>
* Connection #0 to host dev10.hprt.com left intact

I do get an error without the -k, so I can look into the way the certificate was installed, but the request still succeeds. I also see that the request downgrades from TLSv1.3 to TLSv1.2. In the Istio environment, the TLSv1.3 Server hello never makes it back. That’s where it hangs every time.

I also tried the request from the container in the Istio environment with --tls-max 1.2, but it the Server hello still never makes it back.