GCE Managed SSL: param for ECDSA certificates?

[Mark Kubacki]

Hello:

I am using Google App Engine with a custom domain, which works so far.

Switching SSL security to Google-managed employs a RSA 2048 certificate for signing.

Yet I'd like to use ECDSA P-256 (and ECDHE-ECDSA suites) – is there any flag or command line option for this setting? (One exists but for DNSSEC.)

-- 

Thanks!

Mark Kubacki

[Nicolas (Google Cloud Platform Support)]

Hi Mark, 

Currently it is not possible to manually customize the TLS versions on App engine.

However a feature request has been forwarded to the App Engine engineering team so that they may evaluate it. You can track the feature request here. Note that there are no ETAs or guarantees of implementation for feature requests.

Also I have created a private issue on Issue Tracker so you can provide us the customs domains and the TLS specifications that you want. This will allow me to file a request so it can be done manually by our team. You can find this issue here.

[Mark Kubacki]

Hi Nicolas,

Thanks for relying this as request for enhancement to the engineering team!

Just so we get the wording right—I am neither asking for customized TLS settings/versions, nor non-standard cipher suites. It's about the certificate, which I'd like to be an "ECDSA one". That is, the public-private key pair won't be RSA with 2048 bit but instead for ECDSA with curve P-256.

Your stack will adjust the available cipher suites accordingly, automatically, being presented that kind of certificate.

You've opened a bug for my domain, thanks. I've followed up there. Again, this email is just a clarification.

-- 

Cheers!

Mark Kubacki

[Nicolas (Google Cloud Platform Support)]

Hi Mark,

Thanks for your last message.

I will be adding the information provided to the Feature Request that we’ve already filed, they will be useful!

I will be closing this private issue  as I understand that no changes are required to your specific project but more of a possible general improvement of the product. You can follow the progress of the possible implementation of this feature here.

Please note that there are no ETAs or guarantees of implementation for feature requests.

Thank you for your understanding.

[Devin Taylor]

Hey Mark,

I don't believe a link was provided for the Feature Request to support SSL via ECDSA. 

We currently already had one open and you can star it here. It has been open since 2016, however, I made sure to update the engineers internally that the community still has interest in the request.

Be sure to follow the tracker for any updates :)