Bug description

SubjectAltNames in Service Entry does not behave as expected. When providing SubjectAltNames, the certificate received from the specified host does not check that any SubjectAltNames matches the SAN in the certificate. As a result, certificates are only checked against the host name they are received from.

[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
[ ] Upgrade

Expected behavior

When SubjectAltNames is used in Service Entries, certificates received by the specified host must contain at least one of the SANs listed or the connection will be refused.

Steps to reproduce the bug

Apply the yaml below and use curl or a similar command to en.wikipedia.org/wiki/Main_Page. The connection should be terminated but is not due to subjectAltNames: - www.google.com not being used in the Service Entry.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: wikipedia
spec:
  hosts:
  - "en.wikipedia.org"
  ports:
  - number: 80
    name: http
    protocol: HTTP
    targetPort: 443
  resolution: DNS
  subjectAltNames:
  - "www.google.com"
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: wikipedia
spec:
  host: en.wikipedia.org
  trafficPolicy:
    tls:
      mode: SIMPLE

Version (include the output of istioctl version --remote and kubectl version --short and helm version --short if you used Helm)

istio version

client version: 1.9.1
control plane version: 1.9.1
data plane version: 1.9.1

kubectl

Client Version: v1.20.4-dirty
Server Version: v1.19.6-eks-49a6c0

How was Istio installed?

istioctl

Environment where the bug was observed (cloud vendor, OS, etc)

Clound environment (EKS)

Additionally, please consider running istioctl bug-report and attach the generated cluster-state tarball to this issue.
Refer cluster state archive for more details.