Istio routes accessible even after disabling weak ciphers for Service Mesh
Issue
- The istio routes are accessible with weak ciphers even after specifying the strong or required ciphers only in the
SMCPas per the documentation Configuring cipher suites and ECDH curves.
$ oc get smcp basic -oyaml -n istio-system
...
spec
security:
controlPlane:
mtls: true
tls:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
$ oc get gateways.networking.istio.io httpd -oyaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
creationTimestamp: "2023-09-09T09:50:09Z"
generation: 1
name: httpd
namespace: secured-gateway
resourceVersion: "12051378"
uid: 3be8f5dd-46a8-40fd-886b-1bcd441233b9
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- httpd.apps.cluster.example.com
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: secured-gateway
httpsRedirect: true
mode: SIMPLE
$ oc get route -n istio-system | grep -i httpd
secured-gateway-httpd-b79ffc91d68b1651 httpd.apps.cluster.example.com istio-ingressgateway https passthrough/Redirect None
> curl -kv https://httpd.apps.cluster.example.com --ciphers AES128-SHA --tlsV1.2
* Trying 10.x.x.x:443...
* Connected to httpd.apps.cluster.example.com (10.x.x.x) port 443 (#0)
* ALPN: offers h2,http/1.1
* Cipher selection: AES128-SHA
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=httpd.apps.cluster.example.com
* start date: Aug 21 14:30:34 2023 GMT
* expire date: Sep 20 14:30:34 2023 GMT
* issuer: CN=customCA
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: httpd.apps.cluster.example.com]
* h2 [:path: /]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x130812800)
> GET / HTTP/2
> Host: httpd.apps.cluster.example.com
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/2 403
< date: Sat, 09 Sep 2023 09:53:16 GMT
< server: istio-envoy
< last-modified: Mon, 12 Jul 2021 19:36:32 GMT
< etag: "133f-5c6f23d09f000"
< accept-ranges: bytes
< content-length: 4927
< content-type: text/html; charset=UTF-8
< x-envoy-upstream-service-time: 4
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
Environment
- Red Hat OpenShift Container Platform (OCP)
- 4.x
- Red Hat OpenShift Service Mesh
- 2.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
