Hi,
we are facing an issue when configuring an mTLS egress connection to an external server.
We defined our destination rule with:
tls:
mode: MUTUAL
caCertificates: /etc/cert-sps-client-mutual/cacert
clientCertificate: /etc/cert-sps-client-mutual/cert
privateKey: /etc/cert-sps-client-mutual/key
and we mounted the corresponding secret to have the certificate information available in the istio-proxy container:
annotations:
sidecar.istio.io /userVolumeMount : '[{"name":"sps-client-mutual", "mountPath":"/etc/cert-sps-client-mutual", "readonly":true}]'
sidecar.istio.io /userVolume : '[{"name":"sps-client-mutual", "secret":{"secretName":"sps-client-mutual"}}]'
The connection towards the server is attempted but the server rejects it with:
TLSv1 79 Alert (Level: Fatal, Description: Protocol Version)
So it looks it cannot accept the proposed Protocol Version for TLS. How can we set the proper TLS version for the egress ?
I know we could do in gateways for incoming transactions, but what about the outgoing ones ?
we are using Istio 1.14 at the moment
thanks in advace!
Mike