Reputation: 131
Google App Engine Node.js TLS 1.2
Our application hosted on Google App Engine Node.js (Flexible Environment). We are now under review of security inspection and failing on the issue that Google App Engine supports TLS 1.0 and 1.1 versions.
Is there a way to enforce the use of only TLS 1.2? And also block ciphers that are below 128 bit?
Upvotes: 9
Views: 3645
Answers (3)
Reputation: 389
I can confirm that you can make a request to google support and it takes up to 4 weeks to make the change. Not sure why. Hopefully they can speed things up in the future. But alternatively you can handle this logic at the application layer (in middleware) rather than the network layer. See snippet below:
// using NODEJS + TYPESCRIPT
// disable tls 1.0 and 1.1 weak ciphers
this.app.use((req, res, next) => {
// const cipher = ((req.socket) as TLSSocket).getCipher()
const protocol = ((req.socket) as TLSSocket).getProtocol()
// console.log('cipher: ', cipher);
// output eg: { name: 'ECDHE-RSA-AES128-GCM-SHA256', version: 'TLSv1/SSLv3' }
console.log('protocol: ', protocol);
// output eg: TLSv1.2
if (protocol === 'TLSv1.2' || protocol === 'TLSv1.3') {
next();
} else {
res.status(426);
res.send('request requires TLSv1.2 or greater, please upgrade');
}
});Upvotes: 3
Reputation: 109
So I also came up against this problem...and found that GCP weren't that helpful. They'll helpfully restrict at a domain level if a support ticket is put forwards....which resolves the security concern...but you'll still get false positives which need explaining at every penetration test (the GAE shared IPs accept other version of TLS for other domains).
For a nice clean solution; use Cloudflare for your DNS. They essentially act as a middleman/web application firewall. Amongst other things (free certificates, WAF, DDOS mitigation, CDN, HTTPS force, HSTS etc etc etc), you're able to set the minimum TLS version as you wish. Mine is now minimum TLS 1.2, supporting TLS 1.3 if the browser accepts it. I've also essentially only got port 80/443 on GAE connected to cloudflare, with no public access at all, as all traffic goes through cloudflare first. Pretty neat - zero ports open to the public and a fully operations website! The pen test guys just scratched their heads and packed up.
Oh...and FYI - it's free for this level of configuration. Happy security testing ;-)
Upvotes: 2
Reputation: 481
I've not tried this so I can't guarantee it would work, but it seems like you could use a HTTP(S) Load Balancer. The SSL policies are configurable such that it would likely meet the requirements of your security review.
Upvotes: 0
Related Questions
- TLS Authentication on Google Cloud Platform
- How can I upgrade the version of TLS on an application running in app engine to > 1.2
- How to fix google cloud ssl issue
- EV SSL-certificate on Google App Engine?
- Google App Engine ManagedSSL Not Working
- Google Cloud Platform Compute Engine SSL Certificate
- Google Cloud Platform - Compute Engine/App Engine - SSL/HTTPS
- SSL on Google Compute Engine with nodejs
- How do I Configure Google Compute Engine to use HTTPS for nodejs server?
- SSL google app engine