Minimum TLS version?

I’m trying to use the gateway TLS options as specified here:


Specifically, the minProtocolVersion and maxProtocolVersion, but it doesn’t seem to have any effect.
I’m running istio 1.4.4
Sample gateway:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: gateway-test
  namespace: istio-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - <something>/<something>
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH
      minProtocolVersion: TLSV1_2
      maxProtocolVersion: TLSV1_3

This does not seem to work. I can go into the istio-ingressgateway container, dump the envoy config (via curl localhost:15000/config_dump) and I’m not seeing any TLS protocol version configuration in the gateway configuration, nor in the target’s istio-proxy configuration. I am able to connect with TLSv1, TLSv1.1 or TLSv1.2. Obviously, I’d only like to connect with TLSv1.2 or higher.

I’m not seeing any obvious errors via kubectl logs on the containers either.

Suggestions? (Note: this question was also asked by someone else back in May 2019, and there were no responses.)

there’re some known issues about tls inspector, does not work with tls 1.3. we have a fix in 1.4.6. could you try to upgrade to 1.4.6 to see if this fix your problem?