Envoyproxy fails if tlsMaxProtocolVersion is set to TLSv1_2 #5282
Comments
|
Are your HTTP clients configured with appropriate MaxTLS settings? The intersection of the client and server TLS version lists has to be at least one to prevent 503s |
|
It's a service mesh, so the client would be also the same envoy? |
|
I didn't know if it was ingress or not, so I wanted to eliminate that simple case first.
No, what I'm saying is that, in general, the tls supported versions (generated by minTLS version and maxTLS version) have to have at least one element in common. If minTLS version is 1.2 and maxTLS version is 1.2, then that should work. For your specific situation, I'd need logs, config dumps, and manifests to know more. Let's continue via Azure support for security purposes |
|
Thanks for clarifying, this is really just fresh installation of the example app with the modification of TLS max version. |
#5292) Addresses potentially incompatible envoy max tls version and OSM control plane min tls version by updating the OSM control plane min tls version from TLSv1_3 to TLSv1_2. Fixes #5282. Signed-off-by: Whitney Griffith <[email protected]>
openservicemesh#5292) Addresses potentially incompatible envoy max tls version and OSM control plane min tls version by updating the OSM control plane min tls version from TLSv1_3 to TLSv1_2. Fixes openservicemesh#5282. Signed-off-by: Whitney Griffith <[email protected]>
openservicemesh#5292) Addresses potentially incompatible envoy max tls version and OSM control plane min tls version by updating the OSM control plane min tls version from TLSv1_3 to TLSv1_2. Fixes openservicemesh#5282. Signed-off-by: Whitney Griffith <[email protected]> Signed-off-by: jaellio <[email protected]>
openservicemesh#5292) Addresses potentially incompatible envoy max tls version and OSM control plane min tls version by updating the OSM control plane min tls version from TLSv1_3 to TLSv1_2. Fixes openservicemesh#5282. Signed-off-by: Whitney Griffith <[email protected]> Signed-off-by: jaellio <[email protected]>
openservicemesh#5292) Addresses potentially incompatible envoy max tls version and OSM control plane min tls version by updating the OSM control plane min tls version from TLSv1_3 to TLSv1_2. Fixes openservicemesh#5282. Signed-off-by: Whitney Griffith <[email protected]> Signed-off-by: jaellio <[email protected]>
openservicemesh#5292) Addresses potentially incompatible envoy max tls version and OSM control plane min tls version by updating the OSM control plane min tls version from TLSv1_3 to TLSv1_2. Fixes openservicemesh#5282. Signed-off-by: Whitney Griffith <[email protected]> Signed-off-by: jaellio <[email protected]>
#5292) Addresses potentially incompatible envoy max tls version and OSM control plane min tls version by updating the OSM control plane min tls version from TLSv1_3 to TLSv1_2. Fixes #5282. Signed-off-by: Whitney Griffith <[email protected]> Signed-off-by: jaellio <[email protected]>
|
This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update. |
Bug description:
Envoyproxy fails if tlsMaxProtocolVersion is set to TLSv1_2.
Affected area (please mark with X where applicable):
Expected behavior:
It should work normally
Steps to reproduce the bug (as precisely as possible):
Install test application (bookstore).
kubectl patch meshconfig osm-mesh-config -n kube-system -p '{"spec":{"sidecar":{"tlsMaxProtocolVersion":"TLSv1_2"}}}' --ty
pe=merge
The pods start failing with 503 trying to connect to each other.
How was OSM installed?:
AKS add-on
Anything else we need to know?:
Bug report archive:
Environment:
osm version): v1.2.3kubectl version): 1.24.7The text was updated successfully, but these errors were encountered: