If you are getting curl: (35) Unknown SSL protocol error when setting up ServiceEntry using istio make sure you have used correct configuration. Following is a correct example of setting external service entry.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-svc
  namespace: istio-system
spec:
  hosts:
  - "google.com"
  - "www.google.com"
  ports:
  - name: https
    number: 443
    protocol: HTTPS
  location: MESH_EXTERNAL

To verify it is set properly run following command:

  kubectl -n istio-system get se

If you can see your configured ServiceEntry you are good to go. You can now try following:

  kubectl exec -it YOUR_POD -c YOUR_CONTAINER -- curl https://google.com

Hope this helps.