SSL Handshake Failure When Mapping to External HTTPS Service (AWS CloudFront + S3) in Emissary Ingress

[umjoshua]

Issue Description: We are encountering an SSL handshake failure when attempting to map to an external HTTPS service hosted on AWS CloudFront with S3 origin. The error message we're receiving is:

upstream connect error or disconnect/reset before headers. reset reason: remote connection failure, transport failure reason: TLS error: 268436496:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE 268435610:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO

Mapping Configuration:

apiVersion: getambassador.io/v3alpha1
kind: Mapping
spec:
  bypass_auth: true
  host_rewrite: cdn.abc.com
  hostname: ***.**xyz.com
  precedence: 500
  prefix: /v4
  rewrite: /index.html
  service: 'https://cdn.abc.com'

Expected Behavior: The response should contain the HTML from CloudFront.

Additional Context:

• Emissary Ingress Version: 3.9.1
• The CDN is directly accessible without issue.
• Mapping is working fine when we use http instead of https for service.

Thank you for your attention to this matter.

[umjoshua]

The issue was solved by adding a TLSContext with the following configuration

apiVersion: getambassador.io/v3alpha1
kind:  TLSContext
metadata:
  name:  tls
spec:
  ambassador_id: ["ambassador-id"]
  secret: tlssecret
  sni: "cdn.abc.com"

And this TLSContext was referenced in the mapping file.