Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ztunnel fails to connect istiod with COMPLIANCE_POLICY set to fips-140-2 for istiod #1296

Open
rubel-ahammad opened this issue Sep 9, 2024 · 5 comments
Open

ztunnel fails to connect istiod with COMPLIANCE_POLICY set to fips-140-2 for istiod #1296

rubel-ahammad opened this issue Sep 9, 2024 · 5 comments

Comments

@rubel-ahammad
Copy link

I am using Istio in Ambient mode. I have installed Istio (base, istiod, cni, ztunnel) version 1.23.0 using helm charts. So far everything works fine.

My application requires that TLS communications are FIPS compliant. So, I set 'COMPLIANCE_POLICY=fips-140-2' to make Istio FIPS compliant. Now the Ztunnel won't start as this cannot connect to istiod. This keeps giving me the following error message:

2024-09-09T07:44:21.037278Z    warn    xds::client:xds{id=73}    XDS client connection error: gRPC connection error connecting to https://istiod.istio-system.svc:15012: status: Unknown, message: "client error (Connect)", source: received fatal alert: ProtocolVersion, retrying in 15s

Looks like there is a Protocol Version mismatch between istiod and ztunnel.

  1. What should I do to fix this issue?
  2. What should I do to make Ztunnel FIPS compliant?
  3. Do I need to compile ztunnel with build arguments that uses BoringSSL?

I tried to lookup Docker Hub. But didn't find any ztunnel image variant that has BoringSSL. Your help is much appreciated.
@howardjohn
Copy link
Member

(3) Yes, --features tls-boring --no-default-features

This is due to istio/istio#52926 not being done. COMPLIANCE_POLICY makes istid only accept 1.2, but ztunnel only accepts 1.3, so currently there is a mismatch

@gil-tohar-cyera
Copy link

@howardjohn Following up:

1.how do we add build arguments to the Ztunnel helm chart? there is no indication in the helm chart documentation. Is it through an environment variable?

@howardjohn
Copy link
Member

@gil-tohar-cyera no, this is a custom build of ztunnel - you would need to build and push your own images and point to them.

@gil-tohar-cyera
Copy link

@howardjohn that's unfortunate...Do you know if there is any expect formal fix to this? I will try to build the image locally, but i see now reason why not to just publish another image then, ztunnel-fips, to save time for everyone

@gil-tohar-cyera
Copy link

And even if i build it myself, according to their README:
In all options, only TLS 1.3 with cipher suites TLS13_AES_256_GCM_SHA384 and TLS13_AES_128_GCM_SHA256 is used.

so the TLS mismatch would still persist if istiod is using FIPS TLS 1.2 and Ztunnel is using FIPS TLS 1.3...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@howardjohn @rubel-ahammad @gil-tohar-cyera