Pod with Sidecar Fails SSL with External Service

Hello,

Istio: 1.1.5
Kubernetes: 1.14.1

I’m still mystified and haven’t found anything in the trace level istio-proxy logs. I have a pod with a istio-proxy container and an alpine container.

The alpine container is making https calls to external URL. At some point this stops working and TLS handshake fails after TLSv1.3 (OUT), TLS handshake, Client hello (1):.

I get this generic error from curl: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection

I don’t see any iptable rules blocking 443. Also port 80 works just fine so I know TCP packets are making it.

The only solution I have right now is doing docker rm on the istio-proxy container and then immediately inside my alpine container SSL is working again.

Instead of restarting the istio-proxy container I restarted the alpine container and that also fixed it. So as long as 1 of the 2 containers is restarted the SSL handshake is fixed.

:man_shrugging:

I’m still ironing Istio in my environment for the first time so I have had envoy doing passthrough for all external addresses.

For now I decided to pass in the global.proxy.includeIPRanges to my helm install while I debug this topic in a different cluster. This will have my external traffic skip the proxy. Having this setup for a day or 2 will also tell me if the problem was related to the istio-proxy or not.

Hi jstockhausen, did you manage to fix this? Am experiencing a very similar sounding problem. Thanks in advance for any info.

Hi @John_Mcaleer

I did not solve it. When it was time to upgrade istio to 1.2.0 I decided to not pass in global.proxy.includeIPRanges just to see what happens. Did not run into the issue again. Could be coincidence though.

Also sorry for the late reply!