Istio allows old versions of TLS to be used

Environment:

• Big Bang Core v1.37.0 (which uses Istio v1.13.4)
• Istio enabled
• Some hosts configured in the "public" IngressGateway, but otherwise keeping the big bang defaults.

What I saw:

A pen test on my environment found that old versions of TLS were accepted by the system.

What I expected:

When deploying Big Bang, by default the system would only accept traffic to the default "public" IngressGateway using at least TLS v1.2 or better, preferably TLS v1.3 or better.

Severity:

High. Due to this finding I'm prevented from deploying my environment by an external Security/Compliance process, which I need to properly transition away from DI2E which is going read-only on August 1.

Alternatives Investigated:

• A postRenderer that will do a patchesStrategicMerge to the IstioOperator to add

  spec:
    meshConfig:
      meshMTLS:
        minProtocolVersion: TLSV1_3

  won't work because that parameter was added in Istio v1.14, which is not available in Big Bang, the Istio chart, or Iron Bank

• A postRenderer that will do a patchesStrategicMerge to the Gateway to add tlsProtocol: TLSV1_3 to spec.servers[n].tls, but the postRenderer will be very messy since the change has to happen inside an array item which means either a JSONPatch or a full replacement of the array or perhaps the whole resource. This is the current path I'm about to take, but still believe that this should happen by default.

Additional Context:

This helm chart hard-codes the tls: section, which makes this really difficult to resolve... it should be made into a configurable section in the values.yaml file.