We have multiple standard app engine projects that needs restriction on the tls version (>= 1.2), is there a setting to change that through the console?
Asked
Active
Viewed 3,574 times
3 Answers
2
To change the support TLS versions requires an SSL policy. SSL policies can only be applied to HTTP(S) Load Balancers and SSL Proxy Load Balancers.
You can create an HTTP(S) Load Balancer and a backend configured for App Engine. That is the only method to change supported TLS versions.
[Update 2023-08-06]
See the answer by @intotecho about using a constraints.
John Hanley
- 5,164
2
There's now a way to restrict TLS Versions by Organization Policy without configuring a Load Balancer: Policy for Restrict TLS Versions
You need roles/orgpolicy.policyAdmin to configure it.
https://console.cloud.google.com/iam-admin/orgpolicies?
The policy covers appengine.googleapis.com and many Google APIs.
In the next few quarters,
"The App Engine frontend will be "secure by default" (tentatively, this means TLS1.2+ and aligning with the Cloud Load-balancing Modern profile) ref
As @beano commented, and my testing confirms, this doesn't work for App Engine (yet). But it does work for Cloud Storage.
"Using an Organization Policy as a way of restricting TLS versions does not apply to App Engine, Cloud Functions, Cloud Run and custom domains. See restricted services."
EDIT - App Engine is possibly blocking TLS1.1 now!
Testing today (Sept 15 2023), App Engine does seem to be blocking TLS1.1
function test_tls_protocol_version() {
if [ $# -lt 3 ]
then
echo "Error in arguments"
echo "usage: $0 TLS version bearer url"
echo "version=$1"
echo "bearer=$2"
echo "url=$3"
exit
fi
version="$1"
bearer="$2"
url="$3"
echo Testing TLS Version $'\033[33;5m'$version$'\033[0m' on site: $'\033[33;5m'$url$'\033[0m'
curl -X GET -H "Authorization: Bearer $bearer" $url --tlsv$version --tls-max $version
}
testing with:
test_tls_protocol_version 1.1 $ndpe_uat_bearer "https://<project>.ey.r.appspot.com"
results in
curl: (35) error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available
while 1.2 is returning a result.
However, the results of openssl are inconclusive. This is the test used by Qualys.
openssl s_client -connect <project_id>.ey.r.appspot.com:443 -tls1
openssl s_client -connect <project_id>.ey.r.appspot.com:443 -tls1_1
openssl s_client -connect <project_id>.ey.r.appspot.com:443 -tls1_2
All give similar results, compared with say microsoft.com
openssl s_client -connect microsoft.com:443 -tls1_1
openssl s_client -connect microsoft.com:443 -tls1_2
intotecho
- 133
0
2025 update:
Google have just added support for minimum TLS version. See Minimum TLS version for google cloud standard app engine projects
You can find the setting in https://console.cloud.google.com/appengine/settings
That being said, I updated mine 2 days ago and it still doesn't appear to have taken effect yet according to an online TLS checker...
matt burns
- 161