This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Modifying TLS cipher suites for a Google Cloud Run service

Posted on 10-19-2023 03:34 AM
MichalSipek
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I'm trying to restrict TLS ciphers for a service we run on Google Cloud Run that exposes its API using Google Endpoints.

Those Endpoints use some sort of proxy (envoy from what I've read).

Here's how it should work. We are concerned with the second half, because we want to set up ssl_server_cipher_suites (at least I hope) to contain commas.

The docker container with the proxy is deployed to those Endpoints, I added it to the Dockerfile.

ENV ESPv2_ARGS ^++^--ssl_server_cipher_suites="ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384"++--enable_debug

When I deploy it, the service starts, and the log shows that the value has changed somewhere:

Starting Config Manager with args: ['bin/configmanager', '--logtostderr', '--rollout_strategy', 'fixed', '--backend_address', 'http://127.0.0.1:8082', '--v', '1', '--envoy_xff_num_trusted_hops', '0', '--listener_port', '8080', '--ssl_server_cipher_suites', 'ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384', '--service_json_path', '/etc/endpoints/service.json', '--compute_platform_override', 'Cloud Run(ESPv2)', '--suppress_envoy_headers=false']

But when I try to verify via nmap that, it returns the same thing.

$ nmap --script ssl-enum-ciphers -p 443 myapp.a.run.app
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-18 13:13 CEST
Nmap scan report for ...

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
…

The second flag (--enable-debug) works better - when it is there, there is more in the log. But the ciphers don't seem to apply. I also tried limiting TLS to TLSv1.3 only (--ssl_minimum_protocol="TLSv1.3"), but nmap kept returning TLSv1.2 as well.

Any ideas, please?

0 0 803
Topic Labels
0 Likes
0 REPLIES 0
Top Solution Authors
View all