Istio mtls certificate specs

What are the specs on the certificates mtls uses?


encryption strength (for us it needs to be AES-256)

Also, it can’t allow TLS 1.0 or 1.1 communication

Here is the result of running against an istio envoy sidecar:

To answer your question, envoy offers TLS 1.0, 1.1, and AES < 256. It looks like it currently defaults to envoy’s default cipher suites and protocol versions. For envoy-to-envoy traffic, the higher strength protocols and ciphers will be negotiated.

However, for ingress without TLS termination (ie, SNI routing) use cases, we need a way to either globally or per service configure the minimum protocol and allowed ciphers.

I just tried with port 15011 for scan istio pilot and its works, but how about scaning for envoy sidecar ? which port for mtls on envoy sidecar ?