We have multiple standard app engine projects that needs restriction on the tls version (>= 1.2), is there a setting to change that through the console?
google-cloud-platform
Add a comment
|
2 Answers
To change the support TLS versions requires an SSL policy. SSL policies can only be applied to HTTP(S) Load Balancers and SSL Proxy Load Balancers.
You can create an HTTP(S) Load Balancer and a backend configured for App Engine. That is the only method to change supported TLS versions.
[Update 2023-08-06]
See the answer by @intotecho about using a constraints.
answered May 26, 2021 at 17:40
-
Thx, I've seen people saying opening a ticket to gcp would allow them to make the changes, do you have any information confirming that?– I-SFMay 26, 2021 at 19:33
-
I am not aware of Google Support supporting manual changes to TLS for App Engine. I do not actually know for sure, but I doubt it based upon internal knowledge. If you have a reference, I will look into this. May 26, 2021 at 21:30
-
@JohnHanley The ability to configure TLS minimum versions is alluded to in a google app engine group discussion at groups.google.com/g/google-appengine/c/W-RSgayAb_I/m/… I'm assuming that is out of date.– MarkSep 26, 2022 at 4:38
There's now a way to restrict TLS Versions by Organization Policy without configuring a Load Balancer: Policy for Restrict TLS Versions
You need roles/orgpolicy.policyAdmin to configure it.
https://console.cloud.google.com/iam-admin/orgpolicies?
The policy covers appengine.googleapis.com and many Google APIs.
In the next few quarters,
"The App Engine frontend will be "secure by default" (tentatively, this means TLS1.2+ and aligning with the Cloud Load-balancing Modern profile) ref
As @beano commented, and my testing confirms, this doesn't work for App Engine (yet). But it does work for Cloud Storage.
"Using an Organization Policy as a way of restricting TLS versions does not apply to App Engine, Cloud Functions, Cloud Run and custom domains. See restricted services."
EDIT - App Engine is possibly blocking TLS1.1 now!
Testing today (Sept 15 2023), App Engine does seem to be blocking TLS1.1
function test_tls_protocol_version() {
if [ $# -lt 3 ]
then
echo "Error in arguments"
echo "usage: $0 TLS version bearer url"
echo "version=$1"
echo "bearer=$2"
echo "url=$3"
exit
fi
version="$1"
bearer="$2"
url="$3"
echo Testing TLS Version $'\033[33;5m'$version$'\033[0m' on site: $'\033[33;5m'$url$'\033[0m'
curl -X GET -H "Authorization: Bearer $bearer" $url --tlsv$version --tls-max $version
}
testing with:
test_tls_protocol_version 1.1 $ndpe_uat_bearer "https://<project>.ey.r.appspot.com"
results in
curl: (35) error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available
while 1.2 is returning a result.
However, the results of openssl are inconclusive. This is the test used by Qualys.
openssl s_client -connect <project_id>.ey.r.appspot.com:443 -tls1
openssl s_client -connect <project_id>.ey.r.appspot.com:443 -tls1_1
openssl s_client -connect <project_id>.ey.r.appspot.com:443 -tls1_2
All give similar results, compared with say microsoft.com
openssl s_client -connect microsoft.com:443 -tls1_1
openssl s_client -connect microsoft.com:443 -tls1_2
-
-
Using an Organization Policy as a way of restricting TLS versions does not apply to App Engine, Cloud Functions, Cloud Run and custom domains. See restricted services. We also put in a support request to GCP to see whether they can set the minimum without a Load Balancer but they refused to do it (although they have done it for others) and said a Load Balancer was the only option. Hopefully they set the minimum by default in these services soon, otherwise we have no choice to move to AWS.– beanoAug 19 at 23:13