We just had a PCI compliance scan and failed due to allowing weak ciphers.
How do we disable TLSv1.0, DES, 3DES ciphers?
Submit a ticket to Google Cloud Support with a list of projects and request that the protocol and ciphers be disabled for your projects.
Related
we are looking for an API to programmatically register new domains and upload corresponding SSL certificates for an existing Google App Engine application. Background: we would like to offer a DNS-based reverse proxy for our GAE-based service, where our customers can access our application through a domain they own. Once can easily configure new domain names (SNI) manually and upload a matching SSL certificate. In order to automate the process and also limit our exposure to customer-owned SSL certificates, we would like to automate the process.
I have been browsing Google's Management API for Google App Engine (https://cloud.google.com/appengine/docs/admin-api/reference/rpc/google.appengine.v1), but could not find a way to accomplish the aforementioned functionality through that API. Does such an API exist?
Thanks,
Soeren
Currently there is no support for this.
There is a feature request for this, created on Nov 13, 2015, which is also addresses Let's Encrypt support.
And there is a hint in it – that somewhere in the wild already exists alpha for "App Engine Admin API - Custom Domains & SSL Certificates"
You can star or comment on this feature request here:
https://issuetracker.google.com/issues/35900034
It looks like this isn't supported right now. This might be because of the domain verification process; you can find out more about what serving SSL on a custom domain on App Engine looks like here.
Hello people and GAE/Google Apps for Business support,
We can´t configure SSL for our custom domain. Our project number is 340915567134
We follow https://support.google.com/a/answer/2644334?hl=en ; but the "show more" link do not appear.
We follow https://developers.google.com/appengine/docs/ssl but again; we do not see it in the Google Apps for Business new control panel (security).
We have the DNS ready and verify; we have the GAE project runnig, we have billing in Google Apps and GAE.
We do not know what can be. The only thing we see in the official documentation of GAE is
"You must have an App Engine application with billing enabled that has
cleared at least one billing charge; use this application when
enabling SSL."
The question is: must we wait for the first month to pay and then the option will be enabled (show)??
Thank you in advance,
carlos
I carlos.
To do that I use a cluodflare account Pro. It cost 20$ per month for the first domain and 5$ per month by supplementary domain. You benefit of SSL encryption with your domain name without bye a personal certificate. In more Cloudflare provide services like DDOS protection, SPDY protocol, caching system for your site, ...
Is it possible to use Extended Validation SSL-Certificate with Google App Engine for a custom domain?
Edit 1:
I didn't find EV-cert in the list of supported certs:
https://developers.google.com/appengine/docs/ssl#certificate_requirements
Afaik, EV certs are technically no different then normal certs, so servers should have no problems using them. OTOH, here are certificate requirements for use on GAE.
I was looking to check out the experimental backup/restore feature of the app-engine datastore, so I followed the instructions and enabled "Datastore Administration" as explained in the link.
After doing so, instead of seeing the Datastore administration controls in the dashboard I am getting a "This webpage is not available" on chrome and "Server not found" on Firefox.
I understand this is experimental but still any help from the app-engine team would be appreciated in terms of what's going on with this feature :)
UPDATE: I tried this on another app (with an empty datastore) and the Datastore Administration page comes up normally.
A few things to check:
Are you using the new high availability datastore? The docs don't specify but it's likely this experimental feature is not compatible with the deprecated master/slave datastore.
If your app is using Java, you have to deploy a non-default Python app to use the backup/restore feature (search for "a note for java developers" on the page).
How large is your datastore? It may take awhile to enable the feature on very large datastores.
How long is your app's name? The error you are seeing is DNS related. The Datastore Admin feature seems to make a request to:
ah-builtin-python-bundle-dot-latest-dot-[YOUR APP NAME].appspot.com
at one point. Due to the length of that subdomain name, if your app name is longer than roughly 23 characters, you'll get a DNS error because DNS is limited to 63 characters per domain section:
http://en.wikipedia.org/wiki/Domain_Name_System#Domain_name_syntax
In my limited testing, I was able to get to a longer domain name by adding the ah-builtin-python-bundle... domain name directly to my system's etc/host file:
http://en.wikipedia.org/wiki/Hosts_(file)
Since App Engine is so locked down I assume there is no way to setup an SSL certificate to allow credit card payments. In the absence of this, how is it possible to secure handle payments in an App Engine app?
http://code.google.com/appengine/docs/java/config/webxml.html#Secure_URLs says that
<ssl-enabled>true</ssl-enabled>
can be set in your appengine-web.xml file with *.appspot.com subdommains. Google had a typo in their opening tag on that page, just FYI.
For Google Apps you can't use HTTPS at all, but for appspot you can.
As far as using your own cert, you can't! For appspot, Google's cert is
not signed for your web-app's specific domain so it will cause a browser pop-up, but if accepted the page will load.
As of today, App Engine supports SSL on your own domain. See:
https://developers.google.com/appengine/docs/ssl
Note that there are two options. The more expensive (VIP - $99 per month) will work with all browsers, whereas the cheaper (SNI - $9 per month) doesn't work on some variations. See here:
http://en.wikipedia.org/wiki/Server_Name_Indication#Support
You can also use e.g. Cloudflare.com to front your app and provide SSL. Currently this is HTTPS to Cloudflare and then normal HTTP to App Engine. This will protect from any drive-by hacks but would be possible to intercept should an attacker somehow get between CF and GAE. This technique is described here:
http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine