Istio offer both http1.1 and h2 for https communication, but the upstream system(nginx) which support only http1.1 so the request fails at nginx.
we want istio to offer only http1.1 when resource requested from browser.
curl command showing negotiation with ALPN
curl -v --insecure
https://ptpcoreapi-ptpcoreapi.oraclecorp.com/data/ui/
* Trying 144.25.101.19...
* TCP_NODELAY set
* Connected to
ptpcoreapi-ptpcoreapi.oraclecorp.com
(144.25.101.19) port 443
(#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2
(OUT), TLS handshake, Client hello (1):
* TLSv1.2
(IN), TLS handshake, Server hello (2):
* TLSv1.2
(IN), TLS handshake, Certificate (11):
* TLSv1.2
(IN), TLS handshake, Server key exchange (12):
* TLSv1.2
(IN), TLS handshake, Server finished (14):
* TLSv1.2
(OUT), TLS handshake, Client key exchange (16):
* TLSv1.2
(OUT), TLS change cipher, Client hello (1):
* TLSv1.2
(OUT), TLS handshake, Finished (20):
* TLSv1.2
(IN), TLS change cipher, Client hello (1):
* TLSv1.2
(IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2
/ ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
Am looking for the configuration to restrict the protocol offered by istio