[Feature Request]: Have tls server name (sni) set for outbound https connections #207
Labels
enhancement
New feature or request
Comments
|
Thank you for submitting the feature request to AWS Private CA Issue plugin. We will review the request and get back to you. |
|
We would like to have some further clarification. Is this referring to the requests from the plugin -> acm-pca? |
|
This is for outgoing https requests from the aws-acm-pca-aws-privateca-issuer pod to external endpoints. Currently Istio just sees outbound tcp connections on port 443 but since tls server name / sni is not set Istio can't tell what hostname the connection is for. |
|
For instance: |
|
Thank you for the clarification. We will review the information and get back to you. |
|
Hi @ceastman-r7 . We have placed this change in our priority queue, thank you for the suggestion. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe why this change is needed
In an Istio enabled environment when egress filtering is enabled, Istio uses the hostname / sni to do egress hostname matching.
If there is no tls server name / sni then Istio can't match the oubound tcp port 443 connection so it would block it.
Describe solutions and alternatives considered (optional)
Istio sidecar resource can allow all but that defeats the purpose of having Istio perform egress filtering.
Is there anything else you would like to add?
No response
The text was updated successfully, but these errors were encountered: