https://istio.io/latest/docs/ops/common-problems/network-issues/#double-tls
Double TLS (TLS origination for a TLS request)
When configuring Istio to perform TLS origination, you need to make sure that the application sends plaintext requests to the sidecar, which will then originate the TLS.
TLS Origination
TLS origination occurs when an Istio proxy (sidecar or egress gateway) is configured to accept unencrypted internal HTTP connections, encrypt the requests, and then forward them to HTTPS servers that are secured using simple or mutual TLS. This is the opposite of TLS termination where an ingress proxy accepts incoming TLS connections, decrypts the TLS, and passes unencrypted requests on to internal mesh services.
The following DestinationRule originates TLS for requests to the httpbin.org service, but the corresponding ServiceEntry defines the protocol as HTTPS on port 443.
|
|
With this configuration, the sidecar expects the application to send TLS traffic on port 443 (e.g., curl https://httpbin.org), but it will also perform TLS origination before forwarding requests. This will cause the requests to be double encrypted.
For example, sending a request like curl https://httpbin.org will result in an error: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number.
You can fix this example by changing the port protocol in the ServiceEntry to HTTP:
|
|
Note that with this configuration your application will need to send plaintext requests to port 443, like curl http://httpbin.org:443, because TLS origination does not change the port. However, starting in Istio 1.8, you can expose HTTP port 80 to the application (e.g., curl http://httpbin.org) and then redirect requests to targetPort 443 for the TLS origination:
|
|
