TLS handshake is broken after Istio 1.4 to 1.9 upgrade

Hi all

Sorry if this is a duplicate, I searched everywhere but could not find anything similar.

We are in the middle of the Istio upgrade to 1.9.9 and facing TLS shakeout errors for some endpoints:

istio-egressgateway-59b459db65-twl86 istio-proxy {"route_name":"xxxxxxxx-egw-to-downstream","response_code_details":"upstream_reset_before_response_started{connection_failure,TLS_error:_268436496:SSL_routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE_268435610:SSL_routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO}","duration":333,"upstream_host":"","start_time":"2021-11-26T03:06:57.816Z","downstream_remote_address":"","response_code":503,"connection_termination_details":null,"requested_server_name":"","request_id":"8994f7b4-27af-96de-aacc-2cd68837ec71","bytes_received":0,"downstream_local_address":"","upstream_service_time":null,"upstream_transport_failure_reason":"TLS error: 268436496:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE 268435610:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO","upstream_cluster":"outbound|443||","protocol":"HTTP/1.1","upstream_local_address":null,"authority":"","response_flags":"UF,URX","user_agent":"curl/7.67.0","path":"/xxxx/yyyy/v2?wsdl","bytes_sent":273,"x_forwarded_for":"","method":"GET"}

Upon investigation it’s been revealed that all these endpoints have weak ciphers in use and these ciphers have been removed from Envoy:


Supported Server Cipher(s):
Preferred TLSv1.2 112 bits DES-CBC3-SHA
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 256 bits AES256-SHA
Preferred TLSv1.1 112 bits DES-CBC3-SHA
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 256 bits AES256-SHA
Preferred TLSv1.0 112 bits DES-CBC3-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 256 bits AES256-SHA

I understand that there weak ciphers have been removed from Envoy because we don’t want to have compromised security:

However, we still have a few external vendors that are using the cipher suite above and it’s very hard to work with them to get their endpoints upgraded.

Now the question: is it possible to bring the ciphers above back to Istio to support these endpoints? The only way that comes to mind as of now is to run some intermediate reverse proxy nginx instance to keep these endpoints running and I am wondering if there is a nicer way of doing that in new Istio.


1 Like