This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Enable TLS 1.3 only on GCP Global Ext App LB. Reject clients connection using TLS 1.2 or lower

Posted on 05-22-2024 10:59 AM
azzi
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi guys,

 

In GCP Load Balancer there were SSL Policy settings. In there, we can set the minimum TLS up until 1.2 only but not 1.3

azzi_0-1716400613531.png

 

I have tried to create custom profile by selecting only below ciphers that exclusively designed for TLS 1.3 but failed

azzi_0-1716400810344.png

 

Any ideas?

Thanks

2 3 1,210
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
LovedCloud
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi azzi,

are you trying to configure an ssl policy whit tls 1.3? I've tried different command from Gemini but all of them fails. Then I take a look at the Google docs (https://cloud.google.com/load-balancing/docs/ssl-policies-concepts) and I find this:

"You can use an SSL policy to configure the minimum TLS version and SSL features that are enabled in the load balancer". It also says:

"For example, if a load balancer is configured with a minimum TLS version of 1.2, a handshake with a modern client that supports TLS 1.3 selects TLS 1.3"

So it's not possible to directly configure the load balancer to only accept tls1.3, but if you configure the ssl policies with tls1.2 (for example with MODERN profile) the connection from client that uses tls1.2 is managed whit tls 1.3.

Hope it can help,

Amato

Posted on --/--/---- --:-- AM
azzi
Bronze 2
Bronze 2
In response to LovedCloud
Reply posted on --/--/---- --:-- AM

Dear LovedCloud,

Thanks for your help, but the thing is our requirement strictly only allow TLS 1.3 and reject TLS 1.2 below. With the option that you gave, legacy client still can connect with TLS 1.2 even though modern client already in TLS 1.3

Regards,
Azzi

Posted on --/--/---- --:-- AM
ZiaulHuda
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We have the same requirements. Here is what is happening:

1) From browser to HTTPS LB it uses Tls1.3

docker@WL-24XK9C3:~$ curl -kv https://xxx:443
*   Trying xxx:443...
* Connected to xxx (xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
Redacted info
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55ef035fbeb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: xxx
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< content-type: text/plain
< via: 1.1 google
< cache-control: private, no-store
< date: Wed, 05 Jun 2024 08:28:48 GMT
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
* TLSv1.2 (IN), TLS header, Supplemental data (23):
Hello from TLS server!
TLS Version: TLSv1.2
Cipher Suite: ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
* Connection #0 to host xxx left intact

 

2) From LB to backend it switches to Tls1.2

Connection from: ('ProxyIP', 38364)
TLS Version: TLSv1.2
Cipher: ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
Received: GET / HTTP/1.1
host: xxxx
user-agent: curl/7.81.0
accept: */*
x-cloud-trace-context: fd3d80758a20311a0bd14a718325c4cb/8118919407871389423
x-forwarded-proto: https
via: 1.1 google
x-forwarded-for: xxxx

Our backend is restricted to Tls1.3 and it rejects LB's request. Kindly post the solution if you happen to find one

Top Labels in this Space
Top Solution Authors
View all