Enable TLS 1.3 on the client-side by default

[PiotrSikora]

Currently, TLS 1.3 is NOT enabled by default on the client-side, because the handshake changed a bit in TLS 1.3, and is considered completed on the client-side as soon as the requested client certificate is sent, i.e. before server validates the presented client certificate. This means that the client-side transport socket reports connection as established, and the client starts sending data without knowing if the server is going to accept the client certificate, which makes handling failures a bit tricky with respect to retries and buffering, and makes enabling TLS 1.3 on client-side significantly more difficult than simply changing the maximum supported protocol version.

cc @mattklein123 @lizan @derekargueta

[yaronf]

Just for the record, authentication failures (where the server decides that the client cert is invalid) are in general not retryable. Resending the handshake message is basically guaranteed to fail.

[PiotrSikora]

Just for the record, authentication failures (where the server decides that the client cert is invalid) are in general not retryable. Resending the handshake message is basically guaranteed to fail.

To the same endpoint, yes. But retries are usually sent to different endpoints than the one that failed.

[hobbytp]

cc @PiotrSikora @mattklein123 @lizan @derekargueta

I tried to test sidecar/envoyproxy(1.15) in istio1.7 as client (istio sleep + sidecar ) with TLS1.3 (configured by envoy filter) for TLS origination (configure ServiceEntry and DestinationRule) to connect to some http2/TLS1.3 servers, and it can work as below.
Do you know why TLS1.3 for client can work? Because as I understand, with this issue, it shall not work, or any thing I missed?

1. www.google.com, and www.facebook.com can work with TLS1.3 with envoyfilter + TLS origination.
2. banzaicloud.com can work, but still need to add sni in DestinationRule.
3. http2.pro need to add a fixing (envoy filter patch in http alpn override applied to external services breaks connections istio/istio#24619) before it can work.

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: google-com
  namespace: hobby
spec:
  hosts:
  - www.google.com
  location: MESH_EXTERNAL
  ports:
  - name: http-port-for-tls-origination
    number: 443
    protocol: HTTP
  resolution: NONE
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: google-com
  namespace: hobby
spec:
  host: www.google.com
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: goole-com
  namespace: hobby
spec:
  configPatches:
  - applyTo: CLUSTER
    match:
      cluster:
        portNumber: 443
        service: www.google.com
      context: SIDECAR_OUTBOUND
    patch:
      operation: MERGE
      value:
        transport_socket:
          typed_config:
            '@type': type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext
            common_tls_context:
              tls_params:
                tls_maximum_protocol_version: TLSv1_3
                tls_minimum_protocol_version: TLSv1_3
  workloadSelector:
    labels:
      app: sleep  # modify this for your pod

The test curl command is as below:
kubectl exec -it sleep-8f795f47d-ddzr9 -n hobby -- curl --http2-prior-knowledge -v -sL -o /dev/null -D - http://banzaicloud.com:443

I also update here : https://discuss.istio.io/t/configuring-tls-versions/2273/13

[PiotrSikora]

Do you know why TLS1.3 for client can work? Because as I understand, with this issue, it shall not work, or any thing I missed?

TLS 1.3 works fine, but it's not enabled by default, because there are some edge cases around retries (e.g. when using client certificates), that are not currently handled by Envoy.

[sha-rath]

Yes, I applied the EnvoyFilter to enable TLSv1.3 and it seems to be working fine. I did a couple of tests after applying the retry policies both in the simple TLS and mTLS modes, but could not find any issues you were mentioning @PiotrSikora . I also tried certificate rotation and querying the server with an invalid certificate, but they seem to work fine as expected. Could you please explain those edge cases around retires that would not work with TLSv1.3 on the client-side? It would be really helpful, thanks!

[hobbytp]

@PiotrSikora is this issue a boringssl issue or envoy proxy issue?
Is it related to issue https://boringssl-review.googlesource.com/c/boringssl/+/37304

HelloRetryRequest getter: 

Adds getter indicating whether HelloRetryRequest was triggered
during TLSv1.3 handshake.

thanks for clarification.

[romanholidaypancakes]

My traffic passes through envoy to nginx, once nginx sets ssl_protocols TLSv1.3;, the following error appears

I set ssl_protocols TLSv1.2; everything works fine

[hobbytp]

istio update it here: istio/istio#37540