SSL/TLS Forward Secrecy Support for Custom Domains?

[Thomas Schranz]

Is there a way to enable/support forward secrecy on App Engine using custom domains?

http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

http://stackoverflow.com/a/12906972/403939

https://news.ycombinator.com/item?id=5947704

Thanks a lot in advance.

[Thomas Schranz]

Anyone knows (or might someone who does know) something about this?

[Wolfram Gürlich]

AFAIK forward secrecy is the only available option with all Google services including custom domains. At least it says it uses "ECDHE_RCA" when you look at the SSL connection info.

[Thomas Schranz]

Thanks a lot for your reply Wolfram. It indeed looks like all custom domains on app engine support forward secrecy now:

https://www.ssllabs.com/ssltest/analyze.html?d=blossom.io&s=74.125.34.52

as far as I understand this was not the case at the time I posted to the group but I'm pretty happy about this & hope it stays like that :)

[Thomas Schranz]

It looks like using custom domains on app engine are no longer protected by TLS forward secrecy:

https://www.ssllabs.com/ssltest/analyze.html?d=blossom.io&s=74.125.34.52

Am I reading the ssllabs results the wrong way or did the behaviour change?

I just checked the results with an appspot domain now as well and it also says 'forward secrecy: NO'

Can anyone confirm?

[Thomas Schranz]

Just wanted to update that there indeed still is support for forward secrecy for some browsers, but not for all that would support it,

that's why the ssllabs report isn't "green" regarding forward secrecy (which it used to be earlier iirc => maybe they've made the test stricter).

Any input on this would be highly appreciated as we as customers who host on app engine can't do anything about it (improve the situation) from what I understand.