Disable weak cipher for Google Cloud App engine custom domain website - google-app-engine

I have set up a custom domain website using a PHP Google Cloud App engine. After some third party security testing i've been advised to disable the use of cipher suite DES-CBC3-SHA (TLS_RSA_WITH_3DES_EDE_CBC_SHA).
I'm trying to find out if its possible to disable this for a Google PHP App engine? Most of what I can find online either doesn't answer this particular question or is somewhat out of date.
I found this post useful, Can Google App Engine Java support TLS>1.0 . This suggests it's not possible, however it doesn't actually answer the question, it just concludes that if its good enough for google it should be fine.

Currently it is not possible to disable this cipher suite for a custom domain on the user end. However, it is possible to file a ticket to the GCP support and ask them to do this for your domain.

Related

Does Google provide support for Google APIs for vaadin if not using google app engine as a runtime..?

I am new in vaadin and developing a web project so want to know if i do't use Google App Engine as my project's run time environment so that am able to use Google all APIs such as:
*Calender API
*Contact API
*Drive API
* and also other which google provide :
Google APIs
As i get to know that GAE has lot of limitations.
Please suggest me for the structure design of an Enterprise project with
Maven+vaadin+Runtime Environment(Jboss)+Eclipse+MySQL
Google APIs does not require your application to be running on Google App Engine unless of course you’re trying to use an App Engine specific API like this.
If you’re seeking suggestions on how to structure your project using Google App Engine, you may want to do so in official App Engine Google Group as such questions can be considered too broad on stackoverflow.

SSL with Google App Engine custom domain

Does anyone know if it is going to be possible anytime soon to setup SSL for a custom domain without a Google App account directly from the Google cloud developers console? Signing up for yet another Google account is bordering on making me insane.
I have setup a custom domain via the Google cloud developers console for my app project, and this is serving as a naked url...no problem.
Then I tried to setup a Google App account with an existing account linked to my Google App Engine project as an owner, but it didn't like it. So I setup a new one (deleted now) and re-verified the custom domain, which then stopped the serving of the custom domain. I then deleted the Google App account and it started serving the custom domain again. I have no idea why, what or how...
I have purchased an SSL certificate from Comodo, not yet activated, and all I want to do is set it up without giving myself an emotional hernia, I get enough of those from coding! And, yes, read the docs, but you know, they suck! A step by step idiots example would be great!
Does anyone have a guide other than a google doc on how to setup SSL for a custom domain including activating the SSL cert etc. etc.
Thanks one and all
Ok, I have discovered that Google are moving the SSL setup to their developers cloud console at the end of August 2015. So I shall wait until then to see what that process is like and then decide to go with it or perhaps use Cloudflare or some other alternative if there is one.
See https://code.google.com/p/googleappengine/issues/detail?id=777
We have added support for custom domains for App Engine from the
Google Developers Console, meaning you can now associate a custom
domain without first associating that domain with Google Apps.
To access the feature, visit https://console.developers.google.com/
and you will find the option to add a custom domain under App Engine >
Settings.
NOTE: Currently we do not support SSL on custom domains created
through this method (although we expect to rectify this in a future
release). In the meantime, we continue to support SSL (via VIP or SNI)
for custom domains that are created through Google Apps, and we
continue to provide free HTTPS for all *.appspot.com domains.

Google App Engine - Federated ID (OpenID) cannot run in SSL

The documentation for Google App Engine Federated IDs states:
WARNING: at the time of this writing, OpenID is not supported if your app runs in secure mode using HTTPS.
I am just checking to see if this is still the case. The bug seems to be related to Issue 3586, which remains unresolved.
There is a similar question, but it has not been updated in two years: Secure remote_api in app engine with OpenID.
If I understand correctly, this issues means that one cannot use OpenIDs with Google App Engine if your app requires SSL. Do I understand correctly? Are there any workarounds (e.g. Janrain's RPX)?

Securing a deployed Roo/GWT application

I recently succeded in uploading a Roo/GWT project on Google App Engine.
But, how can I secure it from the Google App Engine application dashboard?
Is there a way to tell to GAE to put a Google Login Box at the start and set a list of authorized accounts?
Thank you very much,
Regards.
Just answered ~same q. here Adding an authentification system in a deployed Roo/Gwt project
This is in progress to be implemented for GWT 2.1/Roo 1.1.0. See this for more details https://jira.springsource.org/browse/ROO-1003
If you can't wait, check the Spring Security in Google App Engine article, at http://blog.springsource.com/2010/08/02/spring-security-in-google-app-engine/ That approach is not supported by Roo though (so once you change the generated code, it will be harder, but still possible, to continue using Roo)

Connecting domain to google app engine without google apps

Actualy, It's a couple of questions:
Is it possible to somehow avoid registering google apps if I just want to connect google app engine applications to non-naked domain (www.example.com for example:)
If described above is impossible, than do I have a right to register Google Apps Education Edition. And how can I proof that I'm non-profit if I'm not US resident?
If I need to connect a couple of domains to a couple of google app instances must I use a couple of google appss as well?
Here is a couple of answers:
No, Google App Engine uses Google Apps to manage domains. See the Deploying your Application on your Google Apps URL article.
Yes, if you are a School or University as explained here. If you aren't, why don't you just go for the Standard Edition?
Yes, for a couple of domains and a couple of GAE instances, you'll need a couple of Google Apps AFAIK. But this shouldn't be an issue as the Google Apps Standard Edition is free. No. As pointed out by Nick, you can add multiple domains to an Apps account as aliases, then map them to different App Engine apps.
Edit: The 3rd answer has been updated with the input provided by Nick Johnson in a comment.
With the the (new?) developer console it is possible add domains to apps for free without using Google Apps. But you will not be able to use HTTPS without registering the domain with Google Apps.
So the answer to the first question is "Yes" (presuming TLS is not required). The second question is not relevant. And as for the third question, multiple domains can be linked with the same application (without using Google Apps).
Select your project in the developer console (https://console.developers.google.com/project)
Navigate the side menu to access App Engine domain settings (App Engine -> Settings)
After verifying your domain (which may take some time) you can add the domain to the app.
I can't currently find Google-blessed documentation to support this. But I am currently serving an App Engine application on a domain that is not registered with Google Apps.
Another option commonly used is to use a reverse proxy to map customer domains to your AppEngine app. I'm using this because I can't add them as Google Apps domain aliases on my primary domain, since some customers run Google Apps by their own.
Details here: http://devblog.ronoaldo.net/2013/09/mapping-multiple-domains-to-google.html

Resources