Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Envoy rejecting self signed certificates after upgrade to 1.31.3 #38481

Open
VivekSubr opened this issue Feb 18, 2025 · 3 comments
Open

Envoy rejecting self signed certificates after upgrade to 1.31.3 #38481

VivekSubr opened this issue Feb 18, 2025 · 3 comments
Labels
area/certificates area/tls bug

Comments

@VivekSubr
Copy link

VivekSubr commented Feb 18, 2025
edited
Loading

Title: Envoy rejecting self signed certificates after upgrade to 1.31.3

Description:
We upgraded envoy from 1.27.1 to 1.31.3 (via istio upgrade), and notice that TLS workflows using self signed certs are broken.

After upgrade -

[2025-02-12T09:10:05.558Z] "POST /X1/NE HTTP/1.1" 503 URX,UF upstream_reset_before_response_started{remote_connection_failure|TLS_error:|268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end} - "TLS_error:|268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end" 754 239 50 - "192.168.205.17" "-" "899111cd-3047-4aef-8d35-6095e64ed8bb" "10.144.185.173" "10.144.185.173:443" outbound|443||31302e3134342e3138352e3137333a343433.com - 192.168.212.55:8443 192.168.205.17:48664 31302e3134342e3138352e3137333a343433.com -

Openssl s_client in istio-proxy container complains of this ->

istio-proxy@istio-egressgateway-li-7654d84db6-62p65:/$ openssl s_client -connect 10.144.185.173:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, ST = Denial, L = Springfield, O = Dis, CN = litest.com
verify error:num=19:self-signed certificate in certificate chain

We thought it might be due to new version prefering TLS 1.3, so we set max_tls_version to TLS_1_2, but it stills throws "Certificate unknown error" (attached pcap screenshot) - equivalent to the 1.3 verify error.

Image

Does envoy no longer accept self signed certs?

Repro steps:
Try to connect to a TLS server using self signed certs.

CC: @mramakrishnaprasad
@VivekSubr VivekSubr added bug triage Issue requires triage labels Feb 18, 2025
@adisuissa adisuissa added area/tls area/certificates and removed triage Issue requires triage labels Feb 18, 2025
@adisuissa
Copy link
Contributor

Thanks for raising this issue.
I wonder if it is related to a boringssl change (see other issue).
cc @ggreenway who may have more context.

I guess there's a question of whether this behavior changed in Envoy v1.31, or was it introduced earlier. Have you tried Envoy v1.30?

@VivekSubr
Copy link
Author

@adisuissa, well no - we're pretty much tied to envoy 1.31 since we are upgrading to istio 1.23

@adisuissa
Copy link
Contributor

I guess that Istio 1.22 can be used to test whether the breakage was introduced in v1.31 or before (https://istio.io/latest/docs/releases/supported-releases/#supported-envoy-versions).
Feel free to introduce a test, and suggest a patch, if possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/certificates area/tls bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adisuissa @VivekSubr