Cloud APP engine still using TLS 1.0 and 1.1
Closed this issue · 6 comments
Hi,
We deployed the JIT application in Google cloud app engine with the default appspot.com domain.
During our pent test, we found that they are still using TLS1.0 and 1.1
How to get rid of these version and use instead TLS 1.2
Any idea? or Do we need to contact Google for this?
I don't think it's possible to restrict TLS versions for the default .appspot.com endpoint. However, you can deploy a load balancer with a serverless NEG in front of the AppEngine app, and then you can use SSL policies to adjust settings.
Thanks, @jpassing.
If we use load balancers and adjust SSL policies, then do we need to purchase a new domain for these configuration?
Yes, you'll need a custom domain. But it could be a subdomain of a domain that you already own.
We have registered a new custom domain from Google. With respect to the deployment any change is needed especially in app.yaml file configuration as we are now introducing LB in front of app engine.
cat << EOF > app.yaml
runtime: java17
instance_class: F2
service_account: $SERVICE_ACCOUNT
env_variables:
RESOURCE_SCOPE: $SCOPE_TYPE/$SCOPE_ID
RESOURCE_CATALOG: AssetInventory
RESOURCE_CUSTOMER_ID: $ACCOUNT_CUSTOMER_ID
ACTIVATION_TIMEOUT: 60
JUSTIFICATION_HINT: "Bug or case number"
JUSTIFICATION_PATTERN: ".*"
EOF
If you use a serverless NEG to deploy a load balancer in front of AppEngine, then I don't think you'll need to change the JIT Access configuration at all. However, the resulting setup will deviate from the two "standard" deployment patterns documented here and I've never tested this kind of setup myself.
Another option would be to switch from AppEngine to Cloud Run. You could use your existing project and service account, follow the steps to deploy JIT Access on Cloud Run in the same project (which includes setting up a load balancer) and once that works, undeploy the AppEngine app.
I'll go ahead and close this issue. If you encounter further issues or questions, please feel free to reopen it.