TLS Tickets with multiple Ingress Gateway

#1

Hello!

I am running Istio 1.0.6 and saw that envoy has TLS Tickets enabled by default. When running with only one Ingress Gateway, session is resumed correctly (openssl s_client -connect [ENDPOINT] -reconnect).

On the other hand, when Ingress Gateway is scaled to multiple replicas, session may sometime be resumed (if it land on the same pod I guess), but in most case it’s not, and a new TLS Tickets is issued.

Is there any configuration that can be done to change this behaviour, or is it simply not implemented in Istio (if so, is it a planned feature ?).

0 Likes

#2

It’s an Envoy behavior that we also observed, but TBH, we haven’t digged into it yet. Have you consulted with the Envoy team?
@Costin_Manolache Costin, do you have clue why that happens?

0 Likes

#3

The Envoy documentation show there is only an array of keys used to encrypt/decrypt TLS Tickets.
It also says keys are generated internally (per envoy process), which may explain the current behaviour.

I’m not quite familiar with Istio development, could Citadel handle keys generation/rotation ?

0 Likes

#4

Citadel only handles the key generation and rotation for the internal mTLS traffic. For the external-facing TLS certs, it replies on users to rotate them through the K8s secrets.

0 Likes

#5

Ok I see. I though of Citadel because the Envoy docs state that TLS keys should be handled as securely as private keys used for certificates.

Should I fill in a feature request in Istio github repo ?

0 Likes