search

istio / istio

Connect, secure, control, and observe services.
https://istio.io
Apache License 2.0
35.78k stars 7.72k forks source link

SSL protocol error - no server hello #31455

Closed shortwavedave closed 3 years ago

shortwavedave commented 3 years ago

I setup cert manager with dns acme challenge on gke. Certificate issuance for wildcard domain is successful. The gateway is configured to redirect http to https.

If I clear the cache on my browser and access the https endpoint, it at first does not respond (SSL_protocol_error, record too long, or wrong version number - I get all three, but wireshark shows no server hello). If I hit the http endpoint, I get the safebrowse warning. After clicking "proceed", the site correctly redirects to https and works. Executing from curl I get the same behavior - oddly enough sometimes proceeding through the safebrowse warning on a browser fixes the issue in curl. After some time, the problem returns and https is inaccessible again.

There are no access logs associated with the blocked https call. After the safebrowse warning, the access logs look correct.

Any ideas why I might be seeing this and how to correct it?

Gateway (domains mangled):

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: prod-istio
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - '*.mydomain.io'
    - mydomain.io
    tls:
      httpsRedirect: true
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - '*.mydomain.io'
    - mydomain.io
    tls:
      credentialName: mydomain-io-tls
      mode: SIMPLE

Virtual Service:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
  namespace: httpbin
spec:
  hosts:
  - "httpbin2.mydomain.io"
  gateways:
  - istio-system/prod-istio
  http:
  - match:
    - uri:
        prefix: /status
    - uri:
        prefix: /delay
    - uri:
        prefix: /headers
    route:
    - destination:
        port:
          number: 8000
        host: httpbin
shortwavedave commented 3 years ago

Ironically, online certificate and ssl checkers report no issues. But I still cannot access the https endpoint. I've now configured things such that a gke load balancer ingress terminates ssl and the destination is an istio gateway with no tls. Same behavior.

shortwavedave commented 3 years ago

If anyone runs into this. I have a new Xfinity gateway router at home. Disabling advanced security fixes the issue - I guess it was only a problem from my house. Safebrowse is their software and it must be caching something.