aws-privateca-issuer icon indicating copy to clipboard operation
aws-privateca-issuer copied to clipboard

Published 20 hours ago verified publisher icon cert-manager

[Feature Request]: Have tls server name (sni) set for outbound https connections

Open ceastman-r7 opened this issue 2 years ago • 6 comments

Describe why this change is needed

In an Istio enabled environment when egress filtering is enabled, Istio uses the hostname / sni to do egress hostname matching.

If there is no tls server name / sni then Istio can't match the oubound tcp port 443 connection so it would block it.

Describe solutions and alternatives considered (optional)

Istio sidecar resource can allow all but that defeats the purpose of having Istio perform egress filtering.

Is there anything else you would like to add?

No response

ceastman-r7 avatar Jun 27 '22 15:06 ceastman-r7

Thank you for submitting the feature request to AWS Private CA Issue plugin. We will review the request and get back to you.

varunvallabhan52 avatar Jun 27 '22 17:06 varunvallabhan52

We would like to have some further clarification. Is this referring to the requests from the plugin -> acm-pca?

varunvallabhan52 avatar Jun 27 '22 20:06 varunvallabhan52

This is for outgoing https requests from the aws-acm-pca-aws-privateca-issuer pod to external endpoints. Currently Istio just sees outbound tcp connections on port 443 but since tls server name / sni is not set Istio can't tell what hostname the connection is for.

ceastman-r7 avatar Jun 27 '22 21:06 ceastman-r7

For instance: Screen Shot 2022-06-27 at 4 48 43 PM

ceastman-r7 avatar Jun 27 '22 21:06 ceastman-r7

Thank you for the clarification. We will review the information and get back to you.

varunvallabhan52 avatar Jun 27 '22 22:06 varunvallabhan52

Hi @ceastman-r7 . We have placed this change in our priority queue, thank you for the suggestion.

divyansh-gupta avatar Jul 05 '22 19:07 divyansh-gupta