You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bug description
We have migrated our legacy application to Kubernetes where it uses istio-ingressgateway for TLS termination and routing. For sake of backwards compatibility we went with a SAN certificate for istio-ingressgateway. Post this we are seeing issues from our clients where requests to our domains fail during SSL handshake even though the domain name requested is the same as the CN on the certificate. Passing SNI info(servername) resolves this issue for them, indicating that the gateway is expecting SNI info from the client.
Is it possible to not use SNI and pass the same certificate for each domain?
Bug description
We have migrated our legacy application to Kubernetes where it uses istio-ingressgateway for TLS termination and routing. For sake of backwards compatibility we went with a SAN certificate for istio-ingressgateway. Post this we are seeing issues from our clients where requests to our domains fail during SSL handshake even though the domain name requested is the same as the CN on the certificate. Passing SNI info(servername) resolves this issue for them, indicating that the gateway is expecting SNI info from the client.
Is it possible to not use SNI and pass the same certificate for each domain?
Gateway config:
Expected behavior
Return the same certificate for each host
Steps to reproduce the bug
Pass SAN certificate to ingressgateway
Version (include the output of
istioctl version --remote
andkubectl version
)Istio version - 1.2.2
Kubernetes version - v1.13.7-gke.24
How was Istio installed?
Deployment yaml
Environment where bug was observed (cloud vendor, OS, etc)
GKE
The text was updated successfully, but these errors were encountered: