Istio mtls certificate specs

Todd_Spurlock · October 18, 2019, 6:42pm

What are the specs on the certificates mtls uses?

specifically:

encryption strength (for us it needs to be AES-256)

Also, it can’t allow TLS 1.0 or 1.1 communication

pbohman · October 22, 2019, 1:07pm

Here is the result of running testssl.sh against an istio envoy sidecar:

gist.github.com

https://gist.github.com/pbohman/bb90150a6e62456b07f715e43ec6ee54

istio-tls-proto-and-ciphers

 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   not offered
 ALPN/HTTP2 h2, http/1.1 (offered)

This file has been truncated. show original

To answer your question, envoy offers TLS 1.0, 1.1, and AES < 256. It looks like it currently defaults to envoy’s default cipher suites and protocol versions. For envoy-to-envoy traffic, the higher strength protocols and ciphers will be negotiated.

However, for ingress without TLS termination (ie, SNI routing) use cases, we need a way to either globally or per service configure the minimum protocol and allowed ciphers.

riskiwah · February 28, 2020, 12:27pm

I just tried testssl.sh with port 15011 for scan istio pilot and its works, but how about scaning for envoy sidecar ? which port for mtls on envoy sidecar ?

Topic		Replies	Views
Istio get mTLS version	7	1170	September 29, 2022
Configuring TLS Versions Security	13	7661	November 16, 2020
How does Istio allow mTLS over HTTP(port 80) Security	3	1694	January 25, 2021
SDS config for the SSL certs Security	0	370	September 11, 2019
Minimum TLS version? Security	17	10265	February 9, 2022

Istio mtls certificate specs

Related Topics