Istio Wildcard Egress Routing

Hello, I installed Istio via the Istio Operator and have the following versions:
control plane version: 1.8.1
data plane version: 1.8.1 (9 proxies
I want to configure the egress request routing for a wildcard host with Istio. I created the following ServiceEntry:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google
spec:
  hosts:
  - "*.google.com"
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: NONE
  location: MESH_EXTERNAL

Doing a request from inside a container in the same namespace works fine:

# curl -sSI https://www.google.com | grep  "HTTP/"
HTTP/2 200

Istio Sidecar logs:

[2021-06-23T07:28:22.764Z] "- - -" 0 - "-" 888 4698 32 - "-" "-" "-" "-" "142.250.184.196:443" outbound|443||*.google.com 10.16.4.11:33624 142.250.184.196:443 10.16.4.11:33622 www.google.com -

Now I want to also use mTLS with a custom certificate I have injected in the file system of the Istio sidecar.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: dwc-domain-wildcard-egress-dr
  namespace: dwc-dev-dev
spec:
  host: "*.google.com"
  trafficPolicy:
    portLevelSettings:
      - port:
          number: 443
        tls: 
          mode: MUTUAL
          clientCertificate: /etc/dwc/certs/tls.crt
          privateKey: /etc/dwc/certs/tls.key
          caCertificates: /etc/ssl/certs/ca-certificates.crt

Output of the same request (with the DestinationRule) applied:

# curl -sSI https://www.google.com -v
*   Trying 142.250.184.196:443...
* TCP_NODELAY set
* Connected to www.google.com (142.250.184.196) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Istio Sidecar container logs:

2021-06-23T07:30:41.161797Z	info	sds	resource:file-cert:/etc/dwc/certs/tls.crt~/etc/dwc/certs/tls.key new connection
2021-06-23T07:30:41.161812Z	info	sds	resource:file-root:/etc/ssl/certs/ca-certificates.crt new connection
2021-06-23T07:30:41.161942Z	info	sds	Skipping waiting for gateway secret
2021-06-23T07:30:41.161942Z	info	sds	Skipping waiting for gateway secret
2021-06-23T07:30:41.162262Z	info	cache	GenerateSecret from file file-cert:/etc/dwc/certs/tls.crt~/etc/dwc/certs/tls.key
2021-06-23T07:30:41.162292Z	info	cache	GenerateSecret from file file-root:/etc/ssl/certs/ca-certificates.crt
2021-06-23T07:30:41.162411Z	info	sds	resource:file-cert:/etc/dwc/certs/tls.crt~/etc/dwc/certs/tls.key pushed key/cert pair to proxy
2021-06-23T07:30:41.162488Z	info	sds	resource:file-root:/etc/ssl/certs/ca-certificates.crt pushed root cert to proxy
[2021-06-23T07:30:56.278Z] "- - -" 0 - "-" 517 179 25 - "-" "-" "-" "-" "142.250.184.196:443" outbound|443||*.google.com 10.16.4.11:34582 142.250.184.196:443 10.16.4.11:34580 www.google.com -

Please note that in my requirements a wildcard host is needed, as the fqdn isn’t known during the istio configuration.

I think you’re getting double TLS Istio / Traffic Management Problems

Thanks for the help. You’re right, using the HTTP protocol in the ServiceEntry solved the first step of the issue.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google
spec:
  hosts:
  - "*.google.com"
  ports:
  - number: 443
    name: http
    protocol: HTTP
  resolution: NONE
  location: MESH_EXTERNAL