Re: End of support for TLS1.0/TLS1.1

jpcfrog · 04-03-2025 04:47 AM

A few days ago we received an email warning that from March 2026, only connections to App Engine using TLS1.2 and higher will be allowed.

The email says that projects created after 1 April 2025 will already have this policy applied by default, but we have created a test project and it still supports connections with TLS1.0.

Also, in the same email, they link to a page in the documentation (https://cloud.google.com/appengine/docs/standard/secure-minimum-tls) that supposedly explains how you can force the new policy on an existing project from 1 April, but the documentation is empty.

Does anyone know more about this? This is a major change that affects our company very directly and we want to be able to assess the impact as soon as possible.

Thank you!

arunr

Hi jpcfrog,

The rollout of the opt-in to TLS 1.0 feature has been slightly delayed. So new projects will still support TLS 1.0 connections. We will be updating the release notes as soon as this becomes available.

Happy to answer any questions that you might have.

- Arun

NoCommandLine

Google rolled it out but people reported issues - see this question and comments under it on Stackoverflow (I also had issues).

Because of those issues, Google turned it off again (postponed the rollout).

......NoCommandLine ......
https://nocommandline.com

Analytics & GUI for App Engine,
Cloud Run & Datastore Emulator

sanoj_es

Hi,

Is there any further update on this? And any ETA decided for this feature?

Thanks,
Sanoj Sudhakaran

neurino

Hello, no matter how I turn on TLS 1.2+ — gcloud or UI — no matter which tool I use to test this, all say that still old TLS are still available, e.g.:

$ nmap --script ssl-enum-ciphers -p 443 xxx.yyy
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-19 10:53 CEST
Nmap scan report for xxx.yyy (216.239.34.21)
Host is up (0.017s latency).
Other addresses for xxx.yyy (not scanned): [...]
rDNS record for 216.239.34.21: any-in-2215.1e100.net

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 2.52 seconds

Why?