TLS modes PASSTHROUGH and SIMPLE

Hello,

I am trying to implement TLS termination on Gateway for one application and on backend side for another.

Kubernetes 1.11(EKS) Istio 1.0.5

Following tasks from the documentation.

  1. https://istio.io/docs/tasks/traffic-management/secure-ingress/
    For TLS mode SIMPLE
  2. https://preliminary.istio.io/docs/examples/advanced-gateways/ingress-sni-passthrough/
    For TLS mode PASSTHROUGH

Each of them separately works fine.

But if I an trying to deploy them both the second one reports error on attempt to connect.
The first looks the winner.
Tried to use the unique port names in Gateway and Server but it did not help as well.

Error for th esecond application looks like

curl -vvv https://whoami.mydomain.com
*   Trying 34.123.123.123…
* TCP_NODELAY set
* Connected to whoami.mydomain.com (34.123.123.123) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl/cert.pem
  CApath: /usr/local/etc/openssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to whoami.mydomain.com:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to whoami.mydomain.com:443 

Any advice what I could miss in setup.

Thank you
Alex

@spikecurtis Maybe you could advise? You gave a good advise about TLS termination on ALB a few days ago

Thank you
Alex

@AlexD can you share your exact Gateway configuration for the combined example?

Are you using port number 443 for both applications? I’m not sure whether the Istio Ingress supports different modes on the same port…

Thank you @spikecurtis

Yes I am using port 443 for both applications with unique port names.
If we cannot use the same port for different modes, could you advise how is reasonable to redirect https requests from clients to different ports based on application or namespace, or some other approaches.

Gateway for TLS mode SIMPLE

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
  namespace: httpbin
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 80
      name: http-httpbin
      protocol: HTTP
#    tls:
#      httpsRedirect: true
    hosts:
    - "httpbin.mydomain.com"
  - port:
      number: 443
      name: https-httpbin
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "httpbin.mydomain.com"

And for PASSTROUGH

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: nginx-gateway
  namespace: nginx-passthrough
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 80
      name: http-nginx
      protocol: HTTP
    tls:
      httpsRedirect: true
    hosts:
    - nginx.mydomain.com
  - port:
      number: 443
      name: https-nginx
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH
    hosts:
    - nginx.mydomain.com

This certainly possible in principle, assuming that the clients send SNI (which I believe is quite will supported). I’m just not sure if Istio/Envoy support different modes selected on the SNI.

@diemtvu do you happen to know?

@spikecurtis @diemtvu SNI looks well supported https://www.alibabacloud.com/help/faq-detail/43742.htm We tried to use Chrome, FF and Curl for these examples. SNI is visible in traces in ‘Client Hello’

Weird that responses are returning normally if we have a few applications only with SIMPLE mode or a few with PASSTHROUGH only, but could not mix them.

Does it looks like a bug? Or there are some ways to deeper explore what is going wrong?

Issue was opened: https://github.com/istio/istio/issues/11786