Istio mtls certificate specs

What are the specs on the certificates mtls uses?

specifically:

encryption strength (for us it needs to be AES-256)

Also, it can’t allow TLS 1.0 or 1.1 communication

Here is the result of running testssl.sh against an istio envoy sidecar:

To answer your question, envoy offers TLS 1.0, 1.1, and AES < 256. It looks like it currently defaults to envoy’s default cipher suites and protocol versions. For envoy-to-envoy traffic, the higher strength protocols and ciphers will be negotiated.

However, for ingress without TLS termination (ie, SNI routing) use cases, we need a way to either globally or per service configure the minimum protocol and allowed ciphers.