Hi we are trying to make an SSL junction between Webseal and Istio ingress gateway, but the junction remains in not running state with the error, caused by a SSL handshake error:


------------------------------
Matteo Longo
------------------------------

Original Message:
Sent: 3/15/2021 8:25:00 AM
From: Matteo Longo
Subject: Istio gateway and SSL junctions not running

Hi we are trying to make an SSL junction between Webseal and Istio ingress gateway, but the junction remains in not running state with the error, caused by a SSL handshake error:

CONNECTED(00000005)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1615806016
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
write:errno=104

We are trying to make the junction with the hostname of istio ingress gateway ip on port 443, where is the problem?

If i try to make handshake with openssl it works without problem:

openssl s_client -connect [hostname]:443 -cert [/path/to/cert] -key [path/to/key] <<< "Q"

verify error:num=18:self signed certificate
verify return:1
verify return:1
---
Certificate chain
....
---
Server certificate
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
subject...
issuer....
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1629 bytes and written 421 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: A7596B0E05C16393DC074B9437CF788E013ED194ADF2356A3D8767408F2473ED
Session-ID-ctx:
Master-Key: 9AB457C298D493EBABF9BB166A6894CAFA389014343A794BF650A8FB43469D41ED06F3BE27D5C53E178D736EC9202C54
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
.....
Start Time: 1615807758
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
DONE

------------------------------
Matteo Longo
------------------------------

Thanks scott for the response, i have no error but the junction state is not running. Yes i have added the certificate on the webseal key store, but i can't figure out the problem. When Webseal try to make the SSL handshake i can see:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
Maybe webseal it's trying to make SSL handshake on the ip of the hostname that i've supplied? Because it says that can't find the peer certificate.
I think that he's trying to make ssl handshake to the ip ingress gateway of Istio that is a TCP load balancer without SSL certificate, in order to work it must do SSL handshake with the hostname that i have supplied! i can't figure out what is doing!

------------------------------
Matteo Longo
------------------------------

Original Message:
Sent: Mon March 15, 2021 04:32 PM
From: Scott Exton
Subject: Istio gateway and SSL junctions not running

Matteo,

 

What is the error you are seeing when you attempt to create the junction?  Have you added the server CA certificate to the WebSEAL key file?  I see from the openssl output that you are using a self signed certificate and so you should be able to 'load' the certificate directly from the server using the 'SSL Certificates' panel in the LMI.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/15/2021 8:25:00 AM
From: Matteo Longo
Subject: Istio gateway and SSL junctions not running

Hi we are trying to make an SSL junction between Webseal and Istio ingress gateway, but the junction remains in not running state with the error, caused by a SSL handshake error:

CONNECTED(00000005)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1615806016
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
write:errno=104

We are trying to make the junction with the hostname of istio ingress gateway ip on port 443, where is the problem?

If i try to make handshake with openssl it works without problem:

openssl s_client -connect [hostname]:443 -cert [/path/to/cert] -key [path/to/key] <<< "Q"

verify error:num=18:self signed certificate
verify return:1
verify return:1
---
Certificate chain
....
---
Server certificate
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
subject...
issuer....
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1629 bytes and written 421 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: A7596B0E05C16393DC074B9437CF788E013ED194ADF2356A3D8767408F2473ED
Session-ID-ctx:
Master-Key: 9AB457C298D493EBABF9BB166A6894CAFA389014343A794BF650A8FB43469D41ED06F3BE27D5C53E178D736EC9202C54
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
.....
Start Time: 1615807758
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
DONE

------------------------------
Matteo Longo
------------------------------

Original Message:
Sent: 3/15/2021 5:34:00 PM
From: Matteo Longo
Subject: RE: Istio gateway and SSL junctions not running

Thanks scott for the response, i have no error but the junction state is not running. Yes i have added the certificate on the webseal key store, but i can't figure out the problem. When Webseal try to make the SSL handshake i can see:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
Maybe webseal it's trying to make SSL handshake on the ip of the hostname that i've supplied? Because it says that can't find the peer certificate.
I think that he's trying to make ssl handshake to the ip ingress gateway of Istio that is a TCP load balancer without SSL certificate, in order to work it must do SSL handshake with the hostname that i have supplied! i can't figure out what is doing!

------------------------------
Matteo Longo
------------------------------

Original Message:
Sent: Mon March 15, 2021 04:32 PM
From: Scott Exton
Subject: Istio gateway and SSL junctions not running

Matteo,

 

What is the error you are seeing when you attempt to create the junction?  Have you added the server CA certificate to the WebSEAL key file?  I see from the openssl output that you are using a self signed certificate and so you should be able to 'load' the certificate directly from the server using the 'SSL Certificates' panel in the LMI.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/15/2021 8:25:00 AM
From: Matteo Longo
Subject: Istio gateway and SSL junctions not running

Hi we are trying to make an SSL junction between Webseal and Istio ingress gateway, but the junction remains in not running state with the error, caused by a SSL handshake error:

CONNECTED(00000005)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1615806016
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
write:errno=104

We are trying to make the junction with the hostname of istio ingress gateway ip on port 443, where is the problem?

If i try to make handshake with openssl it works without problem:

openssl s_client -connect [hostname]:443 -cert [/path/to/cert] -key [path/to/key] <<< "Q"

verify error:num=18:self signed certificate
verify return:1
verify return:1
---
Certificate chain
....
---
Server certificate
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
subject...
issuer....
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1629 bytes and written 421 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: A7596B0E05C16393DC074B9437CF788E013ED194ADF2356A3D8767408F2473ED
Session-ID-ctx:
Master-Key: 9AB457C298D493EBABF9BB166A6894CAFA389014343A794BF650A8FB43469D41ED06F3BE27D5C53E178D736EC9202C54
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
.....
Start Time: 1615807758
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
DONE

------------------------------
Matteo Longo
------------------------------

I don't know Istio, so I don't know how it handles certificates. But what I have seen with some application servers is that it matters with which hostname it is called.

I had cases where I had to add an SNI (Server Name Indicator) in the junction definition to get the correct certificate.

------------------------------
Laurent LA Asselborn
------------------------------

Original Message:
Sent: Mon March 15, 2021 05:34 PM
From: Matteo Longo
Subject: Istio gateway and SSL junctions not running

Thanks scott for the response, i have no error but the junction state is not running. Yes i have added the certificate on the webseal key store, but i can't figure out the problem. When Webseal try to make the SSL handshake i can see:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
Maybe webseal it's trying to make SSL handshake on the ip of the hostname that i've supplied? Because it says that can't find the peer certificate.
I think that he's trying to make ssl handshake to the ip ingress gateway of Istio that is a TCP load balancer without SSL certificate, in order to work it must do SSL handshake with the hostname that i have supplied! i can't figure out what is doing!

------------------------------
Matteo Longo

Original Message:
Sent: Mon March 15, 2021 04:32 PM
From: Scott Exton
Subject: Istio gateway and SSL junctions not running

Matteo,

 

What is the error you are seeing when you attempt to create the junction?  Have you added the server CA certificate to the WebSEAL key file?  I see from the openssl output that you are using a self signed certificate and so you should be able to 'load' the certificate directly from the server using the 'SSL Certificates' panel in the LMI.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/15/2021 8:25:00 AM
From: Matteo Longo
Subject: Istio gateway and SSL junctions not running

Hi we are trying to make an SSL junction between Webseal and Istio ingress gateway, but the junction remains in not running state with the error, caused by a SSL handshake error:

CONNECTED(00000005)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1615806016
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
write:errno=104

We are trying to make the junction with the hostname of istio ingress gateway ip on port 443, where is the problem?

If i try to make handshake with openssl it works without problem:

openssl s_client -connect [hostname]:443 -cert [/path/to/cert] -key [path/to/key] <<< "Q"

verify error:num=18:self signed certificate
verify return:1
verify return:1
---
Certificate chain
....
---
Server certificate
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
subject...
issuer....
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1629 bytes and written 421 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: A7596B0E05C16393DC074B9437CF788E013ED194ADF2356A3D8767408F2473ED
Session-ID-ctx:
Master-Key: 9AB457C298D493EBABF9BB166A6894CAFA389014343A794BF650A8FB43469D41ED06F3BE27D5C53E178D736EC9202C54
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
.....
Start Time: 1615807758
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
DONE

------------------------------
Matteo Longo
------------------------------

Thanks @Laurent LA Asselborn, after setting the SNI in the junction it goes in running state. But after a few minutes the junction goes another time in not running state with the error in the log:

DPWIV1228W WebSEAL could not establish a secure connection to the server, profile-manager-pre-prod.gcp.groupamait.groupama.loc, for the /PP_PManagerGCP junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:20:35.771+01:00I----- 0x38CF07E9 webseald WARNING wwa jct RemoteJunction.cpp 2155 0x7fc30fe3c700
DPWWA2025W IBM Security Access Manager WebSEAL has lost contact with junction (/PP_PManagerGCP) server: profile-manager-pre-prod.gcp.groupamait.groupama.loc
2021-03-18-11:20:41.930+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc310558700
DPWIV1228W WebSEAL could not establish a secure connection to the server, profile-manager-pre-prod.gcp.groupamait.groupama.loc, for the /PP_PManagerGCP junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:20:51.972+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc30e866700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:20:52.822+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc30f761700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:20:53.462+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc30ff40700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:20:53.998+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc30e005700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:20:54.448+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc310044700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:20:54.910+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc30e96a700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:20:55.437+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc30ecb7700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:21:03.438+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc31069d700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:21:04.393+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc310864700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:21:04.775+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc30ecf8700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:21:05.061+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc30e8e8700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:21:05.955+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc31028d700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:21:06.207+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc30f8a6700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:21:06.580+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc30e311700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).
2021-03-18-11:21:06.915+01:00I----- 0x38AD54CC webseald WARNING wiv ssl SSLConnection.cpp 2401 0x7fc30eb31700
DPWIV1228W WebSEAL could not establish a secure connection to the server, nx-web-pre-prod.gcp.groupamait.groupama.loc, for the /PP_GCP_nexus-web junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).

I can't figure out the problem! Could you help me?
​

------------------------------
Matteo Longo
------------------------------

Original Message:
Sent: Tue March 16, 2021 06:24 AM
From: Laurent LA Asselborn
Subject: Istio gateway and SSL junctions not running

I don't know Istio, so I don't know how it handles certificates. But what I have seen with some application servers is that it matters with which hostname it is called.

I had cases where I had to add an SNI (Server Name Indicator) in the junction definition to get the correct certificate.

------------------------------
Laurent LA Asselborn

Original Message:
Sent: Mon March 15, 2021 05:34 PM
From: Matteo Longo
Subject: Istio gateway and SSL junctions not running

Thanks scott for the response, i have no error but the junction state is not running. Yes i have added the certificate on the webseal key store, but i can't figure out the problem. When Webseal try to make the SSL handshake i can see:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
Maybe webseal it's trying to make SSL handshake on the ip of the hostname that i've supplied? Because it says that can't find the peer certificate.
I think that he's trying to make ssl handshake to the ip ingress gateway of Istio that is a TCP load balancer without SSL certificate, in order to work it must do SSL handshake with the hostname that i have supplied! i can't figure out what is doing!

------------------------------
Matteo Longo

Original Message:
Sent: Mon March 15, 2021 04:32 PM
From: Scott Exton
Subject: Istio gateway and SSL junctions not running

Matteo,

 

What is the error you are seeing when you attempt to create the junction?  Have you added the server CA certificate to the WebSEAL key file?  I see from the openssl output that you are using a self signed certificate and so you should be able to 'load' the certificate directly from the server using the 'SSL Certificates' panel in the LMI.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/15/2021 8:25:00 AM
From: Matteo Longo
Subject: Istio gateway and SSL junctions not running

Hi we are trying to make an SSL junction between Webseal and Istio ingress gateway, but the junction remains in not running state with the error, caused by a SSL handshake error:

CONNECTED(00000005)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1615806016
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
write:errno=104

We are trying to make the junction with the hostname of istio ingress gateway ip on port 443, where is the problem?

If i try to make handshake with openssl it works without problem:

openssl s_client -connect [hostname]:443 -cert [/path/to/cert] -key [path/to/key] <<< "Q"

verify error:num=18:self signed certificate
verify return:1
verify return:1
---
Certificate chain
....
---
Server certificate
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
subject...
issuer....
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1629 bytes and written 421 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: A7596B0E05C16393DC074B9437CF788E013ED194ADF2356A3D8767408F2473ED
Session-ID-ctx:
Master-Key: 9AB457C298D493EBABF9BB166A6894CAFA389014343A794BF650A8FB43469D41ED06F3BE27D5C53E178D736EC9202C54
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
.....
Start Time: 1615807758
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
DONE

------------------------------
Matteo Longo
------------------------------