Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Google App Engine Node.js TLS 1.2

Our application hosted on Google App Engine Node.js (Flexible Environment). We are now under review of security inspection and failing on the issue that Google App Engine supports TLS 1.0 and 1.1 versions.

Is there a way to enforce the use of only TLS 1.2? And also block ciphers that are below 128 bit?

like image 361
alexkom Avatar asked Jan 23 '18 14:01

alexkom


1 Answers

So I also came up against this problem...and found that GCP weren't that helpful. They'll helpfully restrict at a domain level if a support ticket is put forwards....which resolves the security concern...but you'll still get false positives which need explaining at every penetration test (the GAE shared IPs accept other version of TLS for other domains).

For a nice clean solution; use Cloudflare for your DNS. They essentially act as a middleman/web application firewall. Amongst other things (free certificates, WAF, DDOS mitigation, CDN, HTTPS force, HSTS etc etc etc), you're able to set the minimum TLS version as you wish. Mine is now minimum TLS 1.2, supporting TLS 1.3 if the browser accepts it. I've also essentially only got port 80/443 on GAE connected to cloudflare, with no public access at all, as all traffic goes through cloudflare first. Pretty neat - zero ports open to the public and a fully operations website! The pen test guys just scratched their heads and packed up.

Oh...and FYI - it's free for this level of configuration. Happy security testing ;-)

like image 92
prout.james Avatar answered Sep 21 '22 17:09

prout.james