How to disable TLS 1.0 and 1.1 with Basic Support plan?

[Tobias Binna]

We have an app running on App Engine Standard and have a requirement to disable TLS 1.0 and 1.1.

I read in several places [1][2][3] that we can contact support to help with this however, it seems we are currently on the basic plan which does not allow me to open any support cases for technical issues.

Is there any way we can get help with this without subscribing for a $100/user/month support plan?

Thanks in advance!

[Katayoon (Cloud Platform Support)]

Hi Tobias,

As explained in this public documentation, the recommended solution for managing TLS versions and cipher suites is using Google Cloud Load Balancer (GCLB) with Serverless NEGs , so that you can define a SSL security policy to restrict the TLS versions and cipher suites used. You may also take a look at the GCLB documentation describing TLS version and cipher support and directions for configuring SSL policies.

If you choose not to utilize GCLB and use your GAE domains types, Cloud Support is able to make changes to the TLS versions and cipher suites. However, you need to send your request via your support package.

[Tobias Binna]

Thank you for all the details, Katayoon!

We are not using GCLB and would like to contact support to make changes to the TLS version and cipher suites. However, we are on the basic/free support role which does not allow me to open a case for this.

So my question is if there is any other way we can contact support or get help with this? Or would we have to subscribe to the smallest $100 package just for this single request?

Thanks,

Tobias

[alfio]

Hello,

The only way to make changes to the TLS version and cipher suites of your App Engine domain is to create a ticket in your Google Cloud Console Home -> Main Menu -> Support tab. What my colleague was expressing was that If you do not have access to the appropriate support package, you may use GCLB to set the appropriate TLS and cipher configuarations and route traffic to your app appropriately. Effectively bypassing the need for support and giving you full control over your TLS and cipher configuration.

[Tobias Binna]

Thank you for the clarification, Alfio.

So the answer would be if I am on the free/basic package there is no way to get support to change this.

The alternatives are to subscribe for a support package or to set up a GCLB.

[Tobias Binna]

Just one more update if anyone else lands here in the future: I think some new billing plans just rolled out so there is now a plan for $29 + 3% of net spend which seems more feasible for us. https://cloud.google.com/support