Support For Extended TLS Settings

[kfaseela]

Describe the feature request

We are looking into configuring additional TLS settings in ingress and egress (currently we use basically the defaults).
As per the analysis, it would have been nice if Istio allows configuring more attributes beyond the cipher suite list.
For eg., we must be able to configure elliptic curves (ECDH parameters). Fortunately, Envoy has support for this, but in Istio it is not exposed yet(so there is a way to do this currently with EnvoyFilter). We will also need to configure the signature schemes (e.g. rsa_pkcs1_sha256, rsa_pss_rsae_sha256, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384). Unfortunately, signature scheme is not configurable in Envoy either, and will initiate a separate request for the same in Envoy.

There have been different efforts/discussions in Istio in similar lines. Please see below:

1. Initial discussion of adding TLS params to mesh-config
2. add cipher suite to DR - API changes
3. add ecdh curves defaults PR

So, the requirements:

1. Support ‘ecdh_curves’ at the Gateway: https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings
2. Support ‘ecdh_curves’ in DestinationRule: https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings.
3. ClientTLSSettings currenlty miss the ability to configure TLS versions, and cipher suites (needs EnvoyFilters). It would be a good opportunity to add them too. (This PR seems to be addressing cipher suites part.)
4. Should we also support it for the Sidecar (Ingress Listener) ?https://istio.io/latest/docs/reference/config/networking/sidecar/#IstioIngressListener ==> This is just for completeness, and currently cannot find a requirement for this.

Describe alternatives you've considered

As Envoy supports some of these params already, we can configure the same using EnvoyFilters. However, it would be nice to have these supported using Istio standard APIs

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: gateway-tls-curves
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:

• applyTo: FILTER_CHAIN
  match:
  context: GATEWAY
  listener:
  name: "0.0.0.0_8443"
  patch:
  operation: MERGE
  value:
  transport_socket:
  name: envoy.transport_sockets.tls
  typed_config:
  "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
  common_tls_context:
  tls_params:
  ecdh_curves:
  - P-256
  - X25519

Affected product area (please put an X in all that apply)

[ ] Ambient
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

[kfaseela]

cc @howardjohn @ramaraochavali

[hzxuzhonghu]

This requirement makes me think about should we introduce extensions API in istio, these APIs can iterate quickly and we do not need to guarantee their compatibility. Like ratelimit, it is long there, but without much progress

[ramaraochavali]

How is extension API different from Envoy filters?

[zirain]

one case for RateLimit is apply to a specify route, simply refer to an VS will not be right.

it's avaliable for kubernetes Gateway API, as HTTPRoute is first class.

[hzxuzhonghu]

How is extension API different from Envoy filters?
It is user faced API, then we can translate it to xds, but not guarantee it could not change in the future, just like k8s deployment once resides in extensions API group, now they are migrated to apps group.

[kfaseela]

As per offline discussion with @howardjohn the API PR(istio/api#2014) can be rebased and taken forward.

[kfaseela]

Just an update that finally the proposal that was accepted and the implementation that got merged - is to have a global MeshConfig for ecdh curves settings for all non ISTIO_MUTUAL tls traffic.

[anannaya]

@kfaseela we are running with istio version 1.13.2. i tried envoyfilter with ecdh curves which did not work for me. Is there any limitations in envoyfilter as well?

[kfaseela]

@kfaseela we are running with istio version 1.13.2. i tried envoyfilter with ecdh curves which did not work for me. Is there any limitations in envoyfilter as well?

We have not faced any problems using the EnvoyFilter. Istio support for ecdhCurves in MeshConfig is already merged, just in case you want to try

[anannaya]

@kfaseela Thanks for replying . Yes. We do have a plan to upgrade soon . Timeebeing would like unblock the issue, Do you see any issue in Envoyfilter ?

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.istio.io/v1alpha3","kind":"EnvoyFilter","metadata":{"annotations":{},"name":"gateway-tls-curves","namespace":"istio-system"},"spec":{"configPatches":[{"applyTo":"FILTER_CHAIN","match":{"context":"GATEWAY","listener":{"name":"0.0.0.0_8443"}},"patch":{"operation":"MERGE","value":{"transport_socket":{"name":"envoy.transport_sockets.tls","typed_config":{"@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext","common_tls_context":{"tls_params":{"ecdh_curves":["P-256","X25519","secp384r1","secp256r1"]}}}}}}}],"workloadSelector":{"labels":{"istio":"ingressgateway"}}}}
  creationTimestamp: "2023-04-21T11:18:29Z"
  generation: 3
  name: gateway-tls-curves
  namespace: istio-system
  resourceVersion: "475778794"
  uid: 1c0c0e24-9326-431c-b6f7-a267de249d37
spec:
  configPatches:
  - applyTo: FILTER_CHAIN
    match:
      context: GATEWAY
      listener:
        name: 0.0.0.0_8443
    patch:
      operation: MERGE
      value:
        transport_socket:
          name: envoy.transport_sockets.tls
          typed_config:
            '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
            common_tls_context:
              tls_params:
                ecdh_curves:
                - P-256
                - X25519
                - secp384r1
                - secp256r1
  workloadSelector:
    labels:
      istio: ingressgateway

[kfaseela]

At a high level, the filter looks good. Make sure the label used in workloadselector matches with the gateway label.(might be different based on the Istio installation method)

[anannaya]

P-256 and X25519 works, Rest all fails in handshake

/usr/bin/curl -vvv  --curves secp384r1  https://xxxx.xom
*   Trying 18.214.248.70:443...
* Connected to xxxxx.com (18.214.248.70) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
(base) kubernetes ananayak(k8s: qaus1-ai-eks) $

[kfaseela]

P-256 and X25519 works, Rest all fails in handshake

/usr/bin/curl -vvv  --curves secp384r1  https://xxxx.xom
*   Trying 18.214.248.70:443...
* Connected to xxxxx.com (18.214.248.70) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
(base) kubernetes ananayak(k8s: qaus1-ai-eks) $

Those are the default curves on envoy, did u check if the filter is really applied? What are the labels present on your gateway?

[anannaya]

Yes. I see this error in ingress pods when i enable the debug , Anything extra configuration required in istio 1.13.2 to support ecdh configuration ?

{"level":"warning","time":"2023-04-21T11:45:36.557704Z","scope":"envoy config","msg":"gRPC config for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret rejected: Failed to initialize ECDH curves P-256:X25519:secp384r1:secp256r1"}

[kfaseela]

Yes. I see this error in ingress pods when i enable the debug , Anything extra configuration required in istio 1.13.2 to support ecdh configuration ?

{"level":"warning","time":"2023-04-21T11:45:36.557704Z","scope":"envoy config","msg":"gRPC config for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret rejected: Failed to initialize ECDH curves P-256:X25519:secp384r1:secp256r1"}

I have not used the config with 1.13 before. Tried only with 1.16 I guess

[anannaya]

We do use extra ciphersuits at the gateway would that be causing any issue here ?

  - hosts:
    - '*'
    port:
      name: https-default
      number: 443
      protocol: HTTPS
    tls:
      cipherSuites:
      - ECDHE-ECDSA-AES256-GCM-SHA384
      - ECDHE-RSA-AES256-GCM-SHA384
      - ECDHE-ECDSA-CHACHA20-POLY1305
      - ECDHE-RSA-CHACHA20-POLY1305
      - ECDHE-ECDSA-AES128-GCM-SHA256
      - ECDHE-RSA-AES128-GCM-SHA256
      credentialName: star-xxxxxxx-com-certs
      minProtocolVersion: TLSV1_2
      mode: SIMPLE

[kfaseela]

Yes. I see this error in ingress pods when i enable the debug , Anything extra configuration required in istio 1.13.2 to support ecdh configuration ?

{"level":"warning","time":"2023-04-21T11:45:36.557704Z","scope":"envoy config","msg":"gRPC config for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret rejected: Failed to initialize ECDH curves P-256:X25519:secp384r1:secp256r1"}

Right now not with my laptop, but I think the name recognized by envoy is P-384 instead of secp384r1. I would have to check in detail tomorrow.

[kfaseela]

I just see the set of supported ECDH curves in envoy as
"P-224",
"P-256",
"P-521",
"P-384",
"X25519",
"CECPQ2",

[anannaya]

@kfaseela Yes working now. Thank you so much for help.

[anannaya]

@kfaseela Need one more help, With TLS1.3 works and 1.2 fails with ECDH cipher ? Is there any configuration we need here .

/usr/bin/curl -vvv --ciphers  ECDHE-ECDSA-AES256-GCM-SHA384   --curves secp384r1  https://MASKED
*   Trying 3.210.109.135:443...
* Connected to MASKED (cc) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* Cipher selection: ECDHE-ECDSA-AES256-GCM-SHA384
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Jose; O=Cisco Systems, Inc.; CN=*.MASKED
*  start date: Jan  9 00:00:00 2023 GMT
*  expire date: Jan 31 23:59:59 2024 GMT
*  subjectAltName: host "MASKED" matched cert's "*.MASKED
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing


/usr/bin/curl -vvv --ciphers  ECDHE-ECDSA-AES256-GCM-SHA384   --tlsv1.2 --tls-max 1.2  --curves secp384r1  https://MASKED
*   Trying 3.210.109.135:443...
* Connected to MASKED (3.210.109.135) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* Cipher selection: ECDHE-ECDSA-AES256-GCM-SHA384
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure

[kfaseela]

@kfaseela Need one more help, With TLS1.3 works and 1.2 fails with ECDH cipher ? Is there any configuration we need here .

/usr/bin/curl -vvv --ciphers  ECDHE-ECDSA-AES256-GCM-SHA384   --curves secp384r1  https://MASKED
*   Trying 3.210.109.135:443...
* Connected to MASKED (cc) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* Cipher selection: ECDHE-ECDSA-AES256-GCM-SHA384
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Jose; O=Cisco Systems, Inc.; CN=*.MASKED
*  start date: Jan  9 00:00:00 2023 GMT
*  expire date: Jan 31 23:59:59 2024 GMT
*  subjectAltName: host "MASKED" matched cert's "*.MASKED
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing


/usr/bin/curl -vvv --ciphers  ECDHE-ECDSA-AES256-GCM-SHA384   --tlsv1.2 --tls-max 1.2  --curves secp384r1  https://MASKED
*   Trying 3.210.109.135:443...
* Connected to MASKED (3.210.109.135) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* Cipher selection: ECDHE-ECDSA-AES256-GCM-SHA384
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure

is TLS 1.2 working for you without ecdh curves?

[anannaya]

@kfaseela yes. it works with TLS1.2 without curves . I am suspecting it is something to do with external digicert cerificate which we have at ingress layer created using RSA. envoyproxy/envoy#8983??

/usr/bin/curl -vvv --ciphers  ECDHE-RSA-AES256-GCM-SHA384  --tlsv1.2 --tls-max 1.2   https://MASKED
*   Trying 18.214.248.70:443...
* Connected to MASKED (18.214.248.70) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* Cipher selection: ECDHE-RSA-AES256-GCM-SHA384
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Jose; O=Cisco Systems, Inc.; CN=*.MASKED
*  start date: Jan  9 00:00:00 2023 GMT
*  expire date: Jan 31 23:59:59 2024 GMT
*  subjectAltName: host "MASKED" matched cert's "*.MASKED"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.