3

We have multiple standard app engine projects that needs restriction on the tls version (>= 1.2), is there a setting to change that through the console?

I-SF
  • 31
  • 3

2 Answers2

2

To change the support TLS versions requires an SSL policy. SSL policies can only be applied to HTTP(S) Load Balancers and SSL Proxy Load Balancers.

You can create an HTTP(S) Load Balancer and a backend configured for App Engine. That is the only method to change supported TLS versions.

[Update 2023-08-06]

See the answer by @intotecho about using a constraints.

Restrict TLS versions

John Hanley
  • 4,754
  • 1
  • 11
  • 21
  • Thx, I've seen people saying opening a ticket to gcp would allow them to make the changes, do you have any information confirming that? – I-SF May 26 '21 at 19:33
  • I am not aware of Google Support supporting manual changes to TLS for App Engine. I do not actually know for sure, but I doubt it based upon internal knowledge. If you have a reference, I will look into this. – John Hanley May 26 '21 at 21:30
  • @JohnHanley The ability to configure TLS minimum versions is alluded to in a google app engine group discussion at https://groups.google.com/g/google-appengine/c/W-RSgayAb_I/m/620NKq5kCQAJ I'm assuming that is out of date. – Mark Sep 26 '22 at 04:38
2

There's now a way to restrict TLS Versions by Organization Policy without configuring a Load Balancer: Policy for Restrict TLS Versions

You need roles/orgpolicy.policyAdmin to configure it.

https://console.cloud.google.com/iam-admin/orgpolicies?

The policy covers appengine.googleapis.com and many Google APIs.

In the next few quarters,

"The App Engine frontend will be "secure by default" (tentatively, this means TLS1.2+ and aligning with the Cloud Load-balancing Modern profile) ref

As @beano commented, and my testing confirms, this doesn't work for App Engine (yet). But it does work for Cloud Storage.

"Using an Organization Policy as a way of restricting TLS versions does not apply to App Engine, Cloud Functions, Cloud Run and custom domains. See restricted services."

intotecho
  • 123
  • 5
  • Thank you for adding an answer about the `restrictTLSVersion` constraint. – John Hanley Aug 07 '23 at 02:33
  • Using an Organization Policy as a way of restricting TLS versions does not apply to App Engine, Cloud Functions, Cloud Run and custom domains. See [restricted services](https://cloud.google.com/assured-workloads/docs/restrict-tls-versions#unsupported-services). We also put in a support request to GCP to see whether they can set the minimum without a Load Balancer but they refused to do it (although they have done it for others) and said a Load Balancer was the only option. Hopefully they set the minimum by default in these services soon, otherwise we have no choice to move to AWS. – beano Aug 19 '23 at 23:13