ztunnel fails to connect istiod with COMPLIANCE_POLICY set to fips-140-2 for istiod

[rubel-ahammad]

I am using Istio in Ambient mode. I have installed Istio (base, istiod, cni, ztunnel) version 1.23.0 using helm charts. So far everything works fine.

My application requires that TLS communications are FIPS compliant. So, I set 'COMPLIANCE_POLICY=fips-140-2' to make Istio FIPS compliant. Now the Ztunnel won't start as this cannot connect to istiod. This keeps giving me the following error message:

2024-09-09T07:44:21.037278Z    warn    xds::client:xds{id=73}    XDS client connection error: gRPC connection error connecting to https://istiod.istio-system.svc:15012: status: Unknown, message: "client error (Connect)", source: received fatal alert: ProtocolVersion, retrying in 15s                   

Looks like there is a Protocol Version mismatch between istiod and ztunnel.

1. What should I do to fix this issue?
2. What should I do to make Ztunnel FIPS compliant?
3. Do I need to compile ztunnel with build arguments that uses BoringSSL?

I tried to lookup Docker Hub. But didn't find any ztunnel image variant that has BoringSSL. Your help is much appreciated.

[howardjohn]

(3) Yes, --features tls-boring --no-default-features

This is due to istio/istio#52926 not being done. COMPLIANCE_POLICY makes istid only accept 1.2, but ztunnel only accepts 1.3, so currently there is a mismatch