How to figure out the TLS version of the API calls being made to an Google App Engine based application?

[Hamid Raza]

Hi there,

I am working on an app which is based on python27 and deployed on Google App Engine (Standard env). The app basically exposes most of its functionalities via REST APIs. And there are lot of customers who have integrated these APIs in their platforms.

I just ran a security scan of the app and found out that it is still supporting TLS1.0. By reading on it a bit, I found out that Google front end has intentionally supported the old versions of TLS in order to make the apps work with every client side browsers (or for backward compatibility). 

I have also figured out the way to disable the old versions of TLS for the app (that would be by contacting Google Support). However, before doing so I would like to know which of the customers are using TLS1.0 for communicating to the app so that I can give heads up to those customers and not to break them unexpectedly (because after Google has disabled the TLS1.0 for the app the customers who are using TLS1.0 won't be able to access the app).

I have already went through the Stack Driver logs to see if it can provide any information about TLS versions with each API call being made to the app but it does not have such information.

So, is there any way to figure out which API calls are being made with TLS1.0? From the API calls logs I can figure out customers.

[Olu]

I understand you are looking for ways to check API calls that are made using TLS 1.0. From the information provided on this StackExchange link[1 -- the thread is pulling information from a GKE pod], it is possible to Query the Stackdriver Trace API on your project. The output of running a Curl command for verbose information on particular trace ID would return the TLS version that the SSL connection is using. 

I hope that info would be helpful. 

[1]https://serverfault.com/questions/858839/unable-to-get-stackdriver-trace-information-in-google-cloud-console

[Hamid Raza]

Yes, we can get TLS version info from GKE pod or for the apps which are deployed on compute engine. However, in my case, the app is deployed on app engine and to be specific standard version of app engine.
I tried pulling traces using stackdriver trace API but it does not give me any information regarding TLS version.

[Elliott (Cloud Platform Support)]

Hello Hamid,

If you cannot get the information you need from Stackdriver, the best way to proceed is to create a feature request to have that information to be present.

Please follow this link to create a feature request for Stackdriver.