Weak SSL/TLS Configuration

[Rajesh Gupta]

Hello,

Recently, we got security review done by X company, and they pointed out the weak server side SSL/TLS 

The following tool was used.

sslyze.exe --tlsv1 --tlsv1_1 --tlsv1_2 --hide_rejected_ciphers 

Please see the output

Following was recommended

The server-side TLS endpoint's configuration should be updated to allow only TLSv1.2 connections with cipher suites that use:

• Ephemeral Diffie-Hellman for key exchange (optionally, allow RSA for key exchange if necessary for supporting some clients) 

• Block ciphers with key lengths of at least 128 bits (AES-128 and AES-256) 

• Block ciphers in GCM mode. 

What should be done from my end?

- eng-team

www.ServiceFolder.com

Field Service Software on Google Cloud Platform and Mobile

[Diogo Almeida]

You need to have the TLS 1.2 enforced and all the other TLS cyphers disabled on your app domain. If you have your application deployed on App Engine we can help with that. However, you will need to open a case with us either if you have free or paid support package [1][2], informing the project ID and impacted domain(s) so that we can handle this privately.

[1] https://cloud.google.com/support-hub/

[2] https://cloud.google.com/support/docs/

[Rajesh Gupta]

We are not able to open a case, based on the above links.  

There is always a message saying about the 'organisation resource'.  The organization is also enabled.  Tried several links and enabled 'role based' account also.

There is already a billing account attached with the project.

Is a private issue tracker ok 

https://issuetracker.google.com/issues/new 

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/5e0e236e-ab7a-4a09-ab69-b5397b9b1a46%40googlegroups.com.

[Diogo Almeida]

If you have not been able to file a case after setting up the role based support, I suggest you contact the Billing team to make sure that everything is ok with your account. If no action is needed on their part, they will route the case to the technical support and we will be able to help you. I also recommend you check this document which goes over how to get technical and billing support.

The issue tracker isn’t the right support channel for this case either, as it is meant to report known issues and feature requests.

On Wednesday, September 4, 2019 at 4:03:08 AM UTC-4, Rajesh Gupta wrote:

We are not able to open a case, based on the above links.  

There is always a message saying about the 'organisation resource'.  The organization is also enabled.  Tried several links and enabled 'role based' account also.

There is already a billing account attached with the project.

Is a private issue tracker ok 

https://issuetracker.google.com/issues/new 

On Tue, Sep 3, 2019 at 8:55 PM 'Diogo Almeida' via Google App Engine <google-appengine@googlegroups.com> wrote:

You need to have the TLS 1.2 enforced and all the other TLS cyphers disabled on your app domain. If you have your application deployed on App Engine we can help with that. However, you will need to open a case with us either if you have free or paid support package [1][2], informing the project ID and impacted domain(s) so that we can handle this privately.

[1] https://cloud.google.com/support-hub/

[2] https://cloud.google.com/support/docs/

On Tuesday, September 3, 2019 at 9:54:17 AM UTC-4, Rajesh Gupta wrote:

Hello,

Recently, we got security review done by X company, and they pointed out the weak server side SSL/TLS 

The following tool was used.

sslyze.exe --tlsv1 --tlsv1_1 --tlsv1_2 --hide_rejected_ciphers 

Please see the output

Following was recommended

The server-side TLS endpoint's configuration should be updated to allow only TLSv1.2 connections with cipher suites that use:

• Ephemeral Diffie-Hellman for key exchange (optionally, allow RSA for key exchange if necessary for supporting some clients) 

• Block ciphers with key lengths of at least 128 bits (AES-128 and AES-256) 

• Block ciphers in GCM mode. 

What should be done from my end?

- eng-team

www.ServiceFolder.com

Field Service Software on Google Cloud Platform and Mobile

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/5e0e236e-ab7a-4a09-ab69-b5397b9b1a46%40googlegroups.com.

[Diogo Almeida]

Hello Rajesh,

While you discuss with the Billing team anything that needs to be resolved in your account, I decided to open the following private issue tracker, so that we can work together with the App Engine product team to resolve your issue.

Please go to the issue tracker here and provide the information I requested there.

Looking forward to your updates there.

On Wednesday, September 4, 2019 at 4:03:08 AM UTC-4, Rajesh Gupta wrote:

We are not able to open a case, based on the above links.  

There is always a message saying about the 'organisation resource'.  The organization is also enabled.  Tried several links and enabled 'role based' account also.

There is already a billing account attached with the project.

Is a private issue tracker ok 

https://issuetracker.google.com/issues/new 

On Tue, Sep 3, 2019 at 8:55 PM 'Diogo Almeida' via Google App Engine <google-appengine@googlegroups.com> wrote:

You need to have the TLS 1.2 enforced and all the other TLS cyphers disabled on your app domain. If you have your application deployed on App Engine we can help with that. However, you will need to open a case with us either if you have free or paid support package [1][2], informing the project ID and impacted domain(s) so that we can handle this privately.

[1] https://cloud.google.com/support-hub/

[2] https://cloud.google.com/support/docs/

On Tuesday, September 3, 2019 at 9:54:17 AM UTC-4, Rajesh Gupta wrote:

Hello,

Recently, we got security review done by X company, and they pointed out the weak server side SSL/TLS 

The following tool was used.

sslyze.exe --tlsv1 --tlsv1_1 --tlsv1_2 --hide_rejected_ciphers 

Please see the output

Following was recommended

The server-side TLS endpoint's configuration should be updated to allow only TLSv1.2 connections with cipher suites that use:

• Ephemeral Diffie-Hellman for key exchange (optionally, allow RSA for key exchange if necessary for supporting some clients) 

• Block ciphers with key lengths of at least 128 bits (AES-128 and AES-256) 

• Block ciphers in GCM mode. 

What should be done from my end?

- eng-team

www.ServiceFolder.com

Field Service Software on Google Cloud Platform and Mobile

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/5e0e236e-ab7a-4a09-ab69-b5397b9b1a46%40googlegroups.com.