Google App Engine Java可以支持TLS> 1.0吗? [英] Can Google App Engine Java support TLS>1.0
问题描述
我们在Google App Engine上有一个Java应用程序。我们使用Google的自定义域和SSL支持。最近的安全审计发现了两个我们需要解决的有关SSL配置的问题:1)服务器端SSL / TLS端点配置为允许弱SSL / TLS密码套件。具体而言:块大小为112位的块密码 - 在CBC模式下使用块密码(例如AES,3DES)的DES,3DES和密码套件。
2)服务器端SSL / TLS端点配置为允许使用包含已知弱点的TLS协议版本1.0(TLSv1.0)进行连接
查看App Engine文档,我相信这两者都不在我们对App Engine环境的控制范围之内。所以我们不能改变它们,除非我们在App Engine之前放置了一个不同的负载平衡器或者SSL终端点(比如Cloud Cloud,或者我们自己的自定义实例)
我的问题是,是否有任何方法来控制App Engine中的SSL和TLS设置,如果没有,将CloudFlare(或其他代理)放在它前面是最佳选择?
<或者,如果对谷歌这些安全弱点有合理的防御/解释,我可以用它来捍卫Google为App Engine应用程序配置的当前配置。
我从两位令人难以置信的GCE工程师那里听到,其要点是:
$ b 这些设置与服务器为大多数Google服务提供服务,平衡客户端与现代最佳实践的兼容性
[App Engine]运行我们的标准GFE配置 em>
虽然我们不赞成我们能做的,但我们必须平衡兼容性。现代浏览器不允许将TLS连接的配置降级,因此支持像TLS 1.0这样的旧协议不会影响它们。
所以基本上,这对Google来说已经足够好了,他们的安全团队正在根据多种因素做出安全选择 - 因为他们认为他们会放弃旧版本。
We have a Java app on Google App Engine. We use Google's custom domains and SSL support. A recent security audit has found two issues that we need to resolve relating to the SSL configuration:
1) The server-side SSL/TLS endpoint is configured to allow weak SSL/TLS cipher suites. Specifically: block ciphers having block size of 112 bits - DES, 3DES and Cipher suites that use block ciphers (e.g. AES, 3DES) in CBC mode.
2) The server-side SSL/TLS endpoint is configured to allow connections using TLS protocol version 1.0 ("TLSv1.0"), which contains known weaknesses
Looking at the App Engine docs, I believe both of these are outside the scope of control we have over the App Engine environment. So we cannot change them unless we put a different loadbalancer or SSL termination point in front of App Engine (Maybe CloudFlare, or our own custom instance for example)
My question is, is there any way to control the SSL and TLS settings in App Engine, and if not, is the best alternative to put CloudFlare (or other proxy) in front of it?
Or, if there is a reasonable defence/explanation of these security weaknesses from Google, I could use that to defend the current configuration Google has for App Engine apps.
I heard back from two incredibly helpful GCE engineers, the gist of it is:
"the settings are shared with the servers serving most Google services, balancing client compatibility with modern best practices"
"[App Engine] runs our standard GFE configuration"
"While we deprecate what we can, we have to balance that with compatibility. Modern browsers do not allow the configuration of a TLS connection to be downgraded and so supporting older protocols like TLS 1.0 doesn't affect them."
So basically, it's good enough for Google, and their security teams are making those security choices based on a number of factors - as they see fit they will deprecate the older versions.
这篇关于Google App Engine Java可以支持TLS> 1.0吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
