Login/Register
Google App Engine Node.js TLS 1.2
Asked Answered
node.jsgoogle-app-enginesslgoogle-cloud-platformtls1.2
P

3

9

Our application hosted on Google App Engine Node.js (Flexible Environment). We are now under review of security inspection and failing on the issue that Google App Engine supports TLS 1.0 and 1.1 versions.

Is there a way to enforce the use of only TLS 1.2? And also block ciphers that are below 128 bit?

Partain answered 23/1, 2018 at 14:48 Comment(5)
Potentially of interest: #42681747Palmira
@DanCornilescu, so it seems in the app engine load balancer level and there is no way to control it, right?Partain
That's my understanding as well. Maybe technically not exactly the load balancer, but somewhere around there, in the edge common infra serving all cloud clients.Palmira
I think I found more info here. It seems that the nginx proxy that serving the request to app engine flex can't be customized. So no way to update the SSL policyPartain
The explanation in this answer also confirms it: https://mcmap.net/q/358692/-do-i-need-to-setup-a-reverse-proxy-behind-google-app-engine-or-notPalmira
P
3

I can confirm that you can make a request to google support and it takes up to 4 weeks to make the change. Not sure why. Hopefully they can speed things up in the future. But alternatively you can handle this logic at the application layer (in middleware) rather than the network layer. See snippet below: 

// using NODEJS + TYPESCRIPT 
// disable tls 1.0 and 1.1 weak ciphers
this.app.use((req, res, next) => {
      // const cipher = ((req.socket) as TLSSocket).getCipher()
      const protocol = ((req.socket) as TLSSocket).getProtocol()
      // console.log('cipher: ', cipher);
      // output eg: { name: 'ECDHE-RSA-AES128-GCM-SHA256', version: 'TLSv1/SSLv3' }
      console.log('protocol: ', protocol);
      // output eg: TLSv1.2

      if (protocol === 'TLSv1.2' || protocol === 'TLSv1.3') {
          next();
      } else {
          res.status(426);
          res.send('request requires TLSv1.2 or greater, please upgrade');
      }
  });
Purnell answered 7/9, 2019 at 2:34 Comment(0)
A
2

So I also came up against this problem...and found that GCP weren't that helpful. They'll helpfully restrict at a domain level if a support ticket is put forwards....which resolves the security concern...but you'll still get false positives which need explaining at every penetration test (the GAE shared IPs accept other version of TLS for other domains).

For a nice clean solution; use Cloudflare for your DNS. They essentially act as a middleman/web application firewall. Amongst other things (free certificates, WAF, DDOS mitigation, CDN, HTTPS force, HSTS etc etc etc), you're able to set the minimum TLS version as you wish. Mine is now minimum TLS 1.2, supporting TLS 1.3 if the browser accepts it. I've also essentially only got port 80/443 on GAE connected to cloudflare, with no public access at all, as all traffic goes through cloudflare first. Pretty neat - zero ports open to the public and a fully operations website! The pen test guys just scratched their heads and packed up.

Oh...and FYI - it's free for this level of configuration. Happy security testing ;-)

Atwekk answered 16/3, 2019 at 1:13 Comment(2)
There's now a solution for this situation within GCP, which is serverless NEGs. You'll be able to configure your own endpoint without a shared IP and whatever certs you want.Felly
In 2023, is there a way to set min TLS of 1.2 using GCP without the additional cost associated with implementing a static ip and load balancer / forwarding rules? AWS is setting this as standard in their serverless products, so I am surprised Google is still requiring customers to go through this process and incur the additional costs.Kaycekaycee
I
0

I've not tried this so I can't guarantee it would work, but it seems like you could use a HTTP(S) Load Balancer. The SSL policies are configurable such that it would likely meet the requirements of your security review.

Idell answered 25/1, 2018 at 4:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.