(Assumes ALLOW_ANY mode)

Normally, traffic to external HTTPS services works due to the ALLOW_ANY mode changes we added. However, when an http service is added on port 443 (or any port, but generally this happens on 443), this breaks. This is because we add a new 0.0.0.0_443 listener, which will match everything and direct to routes. This will fail.

To reproduce:

curl https://www.google.com # works

then

cat <<EOF | kaf -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: https-breaker
spec:
  hosts:
  - wikipedia.org
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: http
    protocol: HTTP
  resolution: DNS
EOF

now

$ curl https://www.google.com
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.

One possible idea is to do similar to protocol sniffing and detect TLS connection and direct to passthrough cluster. This may be possible with tls inspector.

Related issues:

• Deploy a service entry with ALLOW_ANY policy set makes all other HTTPs requests fail #16450
• A service configuration can make all the egress HTTPs service inaccessible #14520
• Changes to ingress-gw ports effect outbound traffic #16196
• Port conflict on egress when ALLOW_ALL is used #16331
• Bookinfo with HTTPS external access example is not working #13914