Istio get mTLS version

Hi,

There is a way to get the mTLS version?

For sidecar, I think we don’t allow to specify the mTLS version in authentication policy. So we’re actually using the default value from Envoy: https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto#auth-tlsparameters

For gateway, you can specify it here: https://preliminary.istio.io/docs/reference/config/istio.networking.v1alpha3/#Server-TLSOptions-TLSProtocol

I mean if there way to get it from the out of process mixer(like the attribute vocabulary)

I’m not sure if we have metric for this. @kuat, @douglas-reid may know more about this from the mixer side.

Not at the moment. There is connection.mtls boolean property, but that’s not enough information.
I don’t imagine it’s hard to add more mTLS properties as attributes. Please file a feature request in istio for tracking.

1 Like

I open a feature request (link).

Thanks!

Why is it not allowed to specify the TLS version for the sidecar?
We would like to use TLS v1.3 for egress communication from the sidecar proxy, which seems to be not possible right now as it is set by default to TLS v1.2.
Do you have any plans to support specifying TLS version also for the sidecar?

I also want to see in logs which TLS version is used in mTLS handshakes. +1
maybe I can exec ssh the istio sidecar container and run curl command to the some 15021 port? will that expose the mTLS connection attributes ?