I have some more details.
The services are running on a IIS Webserver (Windows Server 2016).
When I set the SSL option “Client Certificate” to accept or required I get:
“503 Service Unavailable” and “upstream connect error or disconnect/reset before headers. reset reason: connection Termination”
When I set the SSL option “Client Certificate” to ignore it works.
In the docs from Microsoft they state:
In a few cases, HTTP/2 can’t be used in combination with other features. In these situations, Windows will fall back to HTTP/1.1 and continue the transaction. This may involve negotiating HTTP/1.1 during the handshake, or sending an error code to the client instructing it to retry over an HTTP/1.1 connection.
Looks like the “negotiating HTTP/1.1 during the handshake, or sending an error code to the client instructing it to retry over an HTTP/1.1 connection” does not work with Istio.