4

I am trying to disable tls protocol versión 1.1 in a k8s cluster with istio 1.6 installed.

I have the following gateway configuration, following the [gateway][1] reference.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  labels:
    operator.istio.io/component: IngressGateway
    operator.istio.io/managed: Reconcile
    operator.istio.io/version: 1.5.1
    release: istio
  name: default-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - REDACTED
      port:
        name: http
        number: 80
        protocol: http
      tls:
        httpsRedirect: true
    - hosts:
        - REDACTED
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        mode: SIMPLE
        minProtocolVersion: TLSV1_2
        maxProtocolVersion: TLSV1_3
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key
        cipherSuites:
          - ECDHE-ECDSA-AES128-GCM-SHA256
          - ECDHE-RSA-AES128-GCM-SHA256
          - ECDHE-ECDSA-AES128-SHA
          - AES128-GCM-SHA256
          - AES128-SHA
          - ECDHE-ECDSA-AES256-GCM-SHA384
          - ECDHE-RSA-AES256-GCM-SHA384
          - ECDHE-ECDSA-AES256-SHA
          - AES256-GCM-SHA384
          - AES256-SHA

I apply this gateway and run testssl.sh to see what tls versión is offerme and I got this result.

 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   not offered
 ALPN/HTTP2 h2, http/1.1, grpc-exp (offered)

Any idea what may occur? [1]: https://istio.io/latest/docs/reference/config/networking/gateway/

EDIT

here the logs about istio-ingressgateway https://pastebin.com/xbtzm7P4

framled
  • 388
  • 5
  • 18
  • Could you try to change your api version from `apiVersion: networking.istio.io/v1beta1` to `networking.istio.io/v1alpha3`? Could you try to put cipherSuites in [] like in this [answer](https://stackoverflow.com/a/60433396/11977760)? Any errors from istio-gateway logs? – Jakub Jul 24 '20 at 11:01
  • 1
    @jt97 I tried changing the api version to v1alpha3, but is the same result. also I tried the cipherSuites like you propose cipherSuites: [ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ...] but nothing, same response. – framled Jul 24 '20 at 19:53
  • Seems like it's istio bug and github is the place where you should ask about it. So I would suggest to report a bug on [github](https://github.com/istio/istio/issues) and wait for istio devs answer. – Jakub Jul 27 '20 at 10:16
  • Thanks @jt97 for your help, here is the issue that I place in github. https://github.com/istio/istio/issues/25801 – framled Jul 27 '20 at 17:02

0 Answers0