mTLS for TCP with istio-proxy

guru1306 · November 25, 2020, 11:42am

Hi All

I am using rabbitmq and many http application pods with side-car proxy. The mtls policy is permissive. The communication between application pods happening over tls. I am monitoring the port using tcpdump command in istio-proxy. The payload is printed only in encrypted form. But when I monitor for incoming messages from rabbitmq, it’s printing the payload in plain text. Does this mean istio proxy is not able to send the amqp communication between rabbitmq and application pod over tls? I can see the same issue happening for dynomite and redis. Does mTLS doesn’t work for TCP? I am using istio 1.7.4

Command to see tcpdump
‘sudo tcpdump src rabbitmq-pod-ip -A -vv’ .

leitang · November 25, 2020, 6:29pm

cc @incfly for permissive mTLS policy.

guru1306 · November 26, 2020, 1:22pm

Istio TLS is using the plain text mode for dynomite and redis also . The TLS is not happening for anything other than http based protocol. Dynomite, redis and rabbitmq are deployed as stateful sets. Does mTLS supports TLS for stateful sets.

Topic		Replies	Views
Policy and destination rule set to mtls & ISTIO_MUTUAL but communicating over http	4	2861	May 16, 2019
How does Istio allow mTLS over HTTP(port 80) Security	3	1692	January 25, 2021
TCP mTLS encryption Security	1	724	February 8, 2020
Prevent outbound packet sniffing Security	0	522	November 11, 2020
Trouble sniffing plain text traffic to a pod security	1	929	September 9, 2020

mTLS for TCP with istio-proxy

Related Topics