Istio Gateway without mTLS


We’re using istio on GKE with mTLS enabled for pod communication in general, but we have a public facing application that needs to terminate SSL on the pod so we have disabled mTLS for that service but we’re receiving TLS handshake errors from the application.

We’re using an istio-ingressgateway, virtual service, gateway, and policy for a service using port 443 for both TLS and GRPC traffic. We tried splitting the TLS traffic to its own port (6443) with a separate gateway and virtual service, but it’s still not terminating TLS properly at the pod. The istio gateway is configured with tls.mode=PASSTHROUGH and the DestinationRule has tls.mode=DISABLE.

When using openssl s_client we’re expecting to be presented with the application’s server certificate but are instead receiving istio’s mTLS cluster.local certificate.

We’ve been trying to follow along with the instructions presented here:


1 Like

‘istioctl authn tls-check <ingressgatewayPodname.istio-system>’ should show the TLS landscape