Disabling TLS 1.0
1,011 views
Skip to first unread message
Patrice B
Jul 15, 2021, 11:14:56 AM7/15/21
to Google App Engine
June 2018 was the deadline for discontinuing the use of TLS 1.0,
(https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls) and after that date numerous audit tools point the use of TLS 1.0 and
1.1 as alerts.
It is now July 2021, 3 years passed the
deadline, and it seems App Engine is still using both. A number of
GAE users have asked how disabling old TLS versions could be achieved,
but the answers they got are not quite satisfactory.
Some say "you should create a ticket with GCP, but you will have to have a support subscription first" (https://serverfault.com/questions/1003762/how-to-disable-tls-1-0-for-google-app-engine or https://stackoverflow.com/questions/58073141/how-to-update-tls-version).
Some say "you should create a ticket with GCP, but you will have to have a support subscription first" (https://serverfault.com/questions/1003762/how-to-disable-tls-1-0-for-google-app-engine or https://stackoverflow.com/questions/58073141/how-to-update-tls-version).
Others say the solution is to set up an SSL policy,
which would only be possible after using Cloud Load Balancing and
serverless NEGS. That would be a lot of trouble, plus added costs, for
the sole purpose of making our GAE based application compliant with 2018 guidelines.
But
these are just end-user advice given on SO, I would be happy to get the
official word from GCP on that matter. It is quite unusual to see GAE
being 3 years late on a security related issue.
Thank you for your input,
Stefano Ciccarelli
Jul 15, 2021, 11:31:03 AM7/15/21
to Google App Engine
The serverless NEGs are a good solution that we investigated, not only for security purposes. The real problem we have encountered is that serverless NEGs have a default 30 seconds timeout not customizable, and this is a real stopper for our use cases.
David (Cloud Platform Support)
Jul 16, 2021, 4:05:07 PM7/16/21
to Google App Engine
Hello,
In the past, to update your TLS version, you needed to create a ticket with GCP support. However, right now, the recommended approach by GCP is to use Cloud Load Balancing and serverless NEGS. Please review this page for more information. You do not need to create a ticket anymore.
Patrice Bertrand
Jul 17, 2021, 4:51:22 AM7/17/21
to Google App Engine
Thank you for your reply @David. May I ask if creating a ticket with GCP support, although not the recommended option, could still be one available option ?
Because setting up Cloud Load Balancing and serverless NEGS would be quite an endeavor, plus some added costs, while we don't actually have any need for these features at the moment, all we need is the deactivation of TLS 1.0 and 1.1.
Thanks
Message has been deleted
yananc
Aug 31, 2021, 5:52:56 PM8/31/21
to Google App Engine
Hi,
Although not the recommended option, creating a ticket with GCP tech support is now an option only for GAE customers with previously existing custom TLS configs.Patrice Bertrand
Sep 1, 2021, 9:36:07 AM9/1/21
to Google App Engine
Hello,
I see that you have deleted your previous answer that said "Although not the recommended option, creating a ticket with GCP tech support is an option for existing customers."
This is quite annoying, and costly as well, because based on your previous answer, and since I was indeed an existing customer (since 2017), I went ahead and subscribed to paid support for this project. I had understood, based on your answer, that this would allow we to have the TLS configuration modified.
I imagine that it is because I filed a support case asking for TLS configuration, with a reference to this conversation, that someone checked the answer that was given by Google here, and modified it. Of course it is best to have correct answers in this conversation, and to remove incorrect answers. But you have to understand that the incorrect answer given to me here cost me over 100$ in support subscription, with no result, since our GAE based application will not be made compliant with security test suites.
This erroneous answer and its consequences aside, I think the question of TLS 1.0 and 1.1 should be answered by GCP and should not require neither a support ticket nor a CLB subscription because it is not a whimsical desire, it is a general and major problem, affecting many if not all GAE applications, since the use of these protocols that are deemed unsafe makes all applications fail compliance test suites.
I think GCP should make this setting readily available to all GAE applications.
In the meantime, I suppose I can now close my support subscription since it will not be of any use ?
Car Loans
Sep 3, 2021, 11:44:24 AM9/3/21
to google-a...@googlegroups.com
!!!!
--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/9019ea43-bdeb-4045-b7f0-666a7c7769f6n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages