Thank @Yannick for the response. After more investigation, I found out that in app engine flex the HTTPS requests are terminated on an NGINX server. So the node server receives only HTTP requests. Is there a way to control the ssl policy of the NGINX server? like you can do with compute engine load balancer <https://cloud.google.com/compute/docs/load-balancing/ssl-policies#working_with_ssl_policies> ?
On Tuesday, January 23, 2018 at 9:26:24 PM UTC+2, Yannick (Cloud Platform Support) wrote: > > Hello Alex, I found this Stack Overflow question > <https://stackoverflow.com/questions/31865325/node-js-tls-request-with-specific-ciphers> > which > explains how you can enforce the use of TLS 1.2 and of specific ciphers > using NodeJS. > > Regarding Google's stance on TLS and ciphers, please read this article on > commonly > reported SSL/TLS vulnerabilities > <https://sites.google.com/site/bughunteruniversity/nonvuln/commonly-reported-ssl-tls-vulnerabilities> > . > > I hope this helps! > > On Tuesday, January 23, 2018 at 10:10:09 AM UTC-5, Alex Komarovsky wrote: >> >> Our application hosted on Google App Engine Node.js (Flexible >> Environment). We are now under review of security inspection and failing on >> the issue that our application supports TLS 1.0 and 1.1 versions. >> >> >> Is there a way to enforce the use of only TLS 1.2? And also block ciphers >> that are below 128 bit? >> > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/7151e1e0-a0ab-4460-bd8a-062333d6536f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
