Google App Engine Node.js TLS 1.2
866 views
Skip to first unread message
Alex Komarovsky
Jan 23, 2018, 10:10:09 AM1/23/18
to Google App Engine
Our application hosted on Google App Engine Node.js (Flexible Environment). We are now under review of security inspection and failing on the issue that our application supports TLS 1.0 and 1.1 versions.
Is there a way to enforce the use of only TLS 1.2? And also block ciphers that are below 128 bit?
Yannick (Cloud Platform Support)
Jan 23, 2018, 2:26:24 PM1/23/18
to Google App Engine
Hello Alex, I found this Stack Overflow question which explains how you can enforce the use of TLS 1.2 and of specific ciphers using NodeJS.
Regarding Google's stance on TLS and ciphers, please read this article on commonly reported SSL/TLS vulnerabilities.
I hope this helps!
Alex Komarovsky
Jan 24, 2018, 2:26:32 PM1/24/18
to Google App Engine
Thank @Yannick for the response.
After more investigation, I found out that in app engine flex the HTTPS requests are terminated on an NGINX server. So the node server receives only HTTP requests.
Is there a way to control the ssl policy of the NGINX server? like you can do with compute engine load balancer ?
Kenworth (Google Cloud Platform)
Jan 25, 2018, 1:40:01 PM1/25/18
to Google App Engine
SSL is terminated at the load balancer. Then the load balancer creates a new secure connection to NGINX server. You can verify this by SSHing to your VM. AFAIK there is no need to control the SSL policy of the NGINX server.
Alex Komarovsky
Jan 25, 2018, 1:46:02 PM1/25/18
to google-a...@googlegroups.com
Thanks. That make sense.
Now my follow up question. Can we control the ssl policy on the load balancer?
On Jan 25, 2018 20:40, "'Kenworth (Google Cloud Platform)' via Google App Engine" <google-a...@googlegroups.com> wrote:
SSL is terminated at the load balancer. Then the load balancer creates a new secure connection to NGINX server. You can verify this by SSHing to your VM. AFAIK there is no need to control the SSL policy of the NGINX server.
--
You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/JtuTwHqFie4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/b905aeb8-b11c-4f6a-a8b3-cc0c3703065f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Kenworth (Google Cloud Platform)
Jan 26, 2018, 4:13:38 PM1/26/18
to Google App Engine
For clarification purposes, what kind/extent of SSL policy control are we talking about?
Reply all
Reply to author
Forward
0 new messages