Configure TID in Strict FIPS Mode
This document describes how to configure the FIPS version of Tetrate Istio Distribution (TID) to operate in a strict FIPS-compliant mode. To be strictly FIPS compliant, it is a requirement to only support TLS 1.2 connections inside and outside the mesh. This is because FIPS TID uses Google’s BoringCrypto project to perform its cryptographic functions, and the Security Policy only covers TLS 1.2.
Restricting TLS configuration may cause other applications to experience connection issues. Always validate that clients who need to communicate with your applications and gateways can support TLS 1.2 connections before proceeding.
Using COMPLIANCE_POLICY
Istio 1.21 introduces a new environment variable called COMPLIANCE_POLICY
to Istio components for enforcing TLS restriction for compliance with FIPS. This change has been backported to Istio 1.20.x and 1.19.x releases, available from the 1.20.4 and 1.19.8 releases respectively.
When COMPLIANCE_POLICY
environment variable is set to fips-140-2
on the istiod
deployment (pilot), the configuration affects Istio gateways and proxies. Under this setting, the TLS version is restricted to v1.2
and the cipher suites suites are narrowed down to ECDHE-ECDSA-AES128-GCM-SHA256
, ECDHE-RSA-AES128-GCM-SHA256
, ECDHE-ECDSA-AES256-GCM-SHA384
, ECDHE-RSA-AES256-GCM-SHA384
, and ECDH curves is set to P-256
. Please refer to the Istio 1.21 release notes for more details.
Following helm command shows how to set the COMPLIANCE_POLICY
environment variable to fips-140-2
on the istiod
deployment (pilot). Refer to Install FIPS for more details on installing TIS FIPS Istio.
helm upgrade --install istiod tetratelabs/istiod -n istio-system \
--set global.tag=${TAG} \
--set global.hub="fips-containers.istio.tetratelabs.com" \
--set "global.imagePullSecrets[0]=tetrate-tis-creds" \
--set "pilot.env.COMPLIANCE_POLICY=fips-140-2" \
--version ${VERSION} \
--wait
Using EnvoyFilter
To exclude TLS 1.3 for Istio versions lacking COMPLIANCE_POLICY
support, it is necessary to use an EnvoyFilter
to provide fine-grained control over TLS settings. The following sections describe how to configure the internal mTLS and the Gateway TLS to only support TLS 1.2.
Configuring Internal mTLS
Here is an example filter that you can use to configure the internal mTLS to only support TLS 1.2:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tls-v1-2-only
# Root namespace: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-root_namespace.
namespace: <MESH-CONFIG-ROOT-NAMESPACE>
spec:
configPatches:
- applyTo: CLUSTER
match:
context: ANY
patch:
operation: MERGE
value:
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_params:
tls_maximum_protocol_version: TLSv1_2
tls_minimum_protocol_version: TLSv1_2
cipher_suites:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- applyTo: FILTER_CHAIN
match:
context: ANY
patch:
operation: MERGE
value:
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_params:
tls_maximum_protocol_version: TLSv1_2
tls_minimum_protocol_version: TLSv1_2
cipher_suites:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
Validation
To validate the config you can connect to a workload by using OpenSSL CLI within the cluster.
Deploy an image that contains the OpenSSL CLI (for example, nginx
)
kubectl create deployment checker --image=nginx
Try to connect to a workload from within the pod:
kubectl exec -ti <POD-NAME> -- openssl s_client -connect <WORKLOAD-IP:PORT> -tls1_3
When the configuration above is in effect, the connection will fail
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 225 bytes
When the configuration above is somewhat failed to be applied, the connection succeeds
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Configuring Gateway TLS
You can configure Istio Gateways to accept only TLS 1.2 with the following configuration:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-istio-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE # Or PASSTHROUGH
credentialName: <CREDENTIAL-NAME> # for SIMPLE
minProtocolVersion: TLSV1_2
maxProtocolVersion: TLSV1_2
cipherSuites:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
Validation
You can use OpenSSL CLI to validate the gateway, similar to the way we validate the internal mTLS:
Try to connect to a gateway:
openssl s_client -connect <GATEWAY-IP:PORT> -tls1_3
When the configuration above is in effect, the connection will fail
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 225 bytes
When the configuration above is somewhat failed to be applied, the connection succeeds
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384